Security issue: Prototype pollution attack(Introduced by the request@2.79.0 => hawk@3.1.3 => hoek@2.16.3)

[MichaelTsengLZ]

The latest version node-sass@4.7.2 uses request@~2.79.0. However, request@~2.79.0 has a vulnerability which is introduced by hoek@2.16.3. More information is here:

https://nodesecurity.io/advisories/566
https://snyk.io/vuln/npm:hoek:20180212

Could you please update request to the latest version to solve the vulnerability? Thank you so much.

• NPM version (npm -v): 5.4.2
• Node version (node -v): v8.8.1
• Node Process (node -p process.versions):

{ 
  http_parser: '2.7.0',
  node: '8.8.1',
  v8: '6.1.534.42',
  uv: '1.15.0',
  zlib: '1.2.11',
  ares: '1.10.1-DEV',
  modules: '57',
  nghttp2: '1.25.0',
  openssl: '1.0.2l',
  icu: '59.1',
  unicode: '9.0',
  cldr: '31.0.1',
  tz: '2017b' 
}

• Node Platform (node -p process.platform): darwin
• Node architecture (node -p process.arch): x64
• node-sass version (node -p "require('node-sass').info"):

node-sass	4.7.2	(Wrapper)	[JavaScript]
libsass  	3.5.0.beta.2	(Sass Compiler)	[C/C++]

• npm node-sass versions (npm ls node-sass):

cla-assistant@1.4.1 /Users/microsoft/Michael/MicrosoftRepo/cla/cla-assistant
└─┬ node-sass-middleware@0.11.0
  └── node-sass@4.7.2

[nschonni]

Duplicate of a bunch of existing tickets. See #2355 for the new general tracking issue

[philwareham]

Just a heads-up: GitHub is now flagging up this vulnerability on any repos that have Node-Sass in the package-lock.json (at least in Node-Sass 4.9.0).

[asommer70]

@philwareham I installed the v5 branch with:

npm install --save https://github.com/sass/node-sass/tarball/v5

And that fixed the hoek problem due to the request version being updated in node-sass. Everything seems to work fine for me, but my project is pretty simple as far as SASS is concerned.

Your mileage may vary...

[jgmcelwain]

Any chance we get the v5 branch on npm as node-sass@next?

[xzyfer]

The API hasn't stabilised yet

…

On Sat., 28 Apr. 2018, 12:06 am Jamie McElwain, ***@***.***> wrote: Any chance we get the v5 branch on npm as ***@***.***? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#2288 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAjZWJX7MMblRppAxXtOqYhJxTpWe0Svks5tsyXUgaJpZM4Sq3ob> .

[xzyfer]

If you desperately need to work around this issue you can install node-sass@4.7.0 exactly. It is the last version before we locked down the request version range.

…

On Sat., 28 Apr. 2018, 12:44 am Michael Mifsud, ***@***.***> wrote: The API hasn't stabilised yet On Sat., 28 Apr. 2018, 12:06 am Jamie McElwain, ***@***.***> wrote: > Any chance we get the v5 branch on npm as ***@***.***? > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <#2288 (comment)>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AAjZWJX7MMblRppAxXtOqYhJxTpWe0Svks5tsyXUgaJpZM4Sq3ob> > . >

[EmilyRosina]

Okay I fixed my issue, ty @xzyfer for your suggestion - but due my own package.lock needing request version range, and every time I tried to install node-sass@4.7.0 it kept denying me, something about other packages relying on dependencies of node-sass or request.. not sure as can't seem to find the error within the window now 😭

My Solution

Fixed by updating all first level package.lock dependencies that have their own dependency of hoek somewhere down the chain, fixed for all apart from node-sass which had to use @asommer70's suggestion.

Now no security error 🎉 👍