hoek dependency potential security vulnerability

[epicserve]

Github sent me the message:
We found a potential security vulnerability in one of your dependencies.
A dependency defined in ./package-lock.json has known security vulnerabilities and should be updated.

When I click on the details it say:

When I looked at what package is dependent on hoek I found this.

# npm ls hoek
/code
└─┬ gulp-sass@4.0.1
  └─┬ node-sass@4.9.0
    └─┬ request@2.79.0
      └─┬ hawk@3.1.3
        ├─┬ boom@2.10.1
        │ └── hoek@2.16.3  deduped
        ├── hoek@2.16.3
        └─┬ sntp@1.0.9
          └── hoek@2.16.3  deduped

[justlevine]

Confirmed.

Seemingly, node-sass is waiting for the v5 release to fix this: sass/node-sass#2288

[theenoahmason]

Confirmed as well.

@justlevine this is also an issue @ node-sass repo, but with all the other tickets consolidated:
sass/node-sass#2355

[georgemeehan]

Is there a way to update this manually?

[tjkohli]

@dlmanning any updates? We're happy to help.

[PRElias]

Waiting for an update on this too

[bra1n]

While we're all waiting for node-sass@v5, you could temporarily fix this issue by requiring a specific node-sass version from GitHub: sass/node-sass#2355 (comment)
"node-sass": "git+https://github.com/sass/node-sass.git#v4.7.0"

[RileyManda]

The solution to this issue is to change the version manually in your package-lock.json.
Change your version manually from 2.16.3 to 4.2.1
"hoek": { "version": "4.2.1", "resolved": "https://registry.npmjs.org/hoek/-/hoek-4.2.1.tgz", "integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=", "dev": true
Then update your project on GitHub(commit/push)
Just make sure every hoek version in your package-lock.json version is changed to 4.2.1

[SimRunBot]

@RileyManda solution solved it for me.Thanks.

here is the NVD issue
it says:
hoek versions up to (excluding) 4.2.0
and versions from (including) 5.0.0 up to (excluding) 5.0.3
are affected by the vulnerability.

[Aceix]

apart from the annoyance, is there any troubling exploit?

[xzyfer]

No.

[Splaktar]

node-sass released v4.9.1 to fix this issue earlier today: sass/node-sass#2355 (comment). It looks like existing versions of gulp-sass will pull in this version and the fix automatically now.

[xzyfer]

npm update node-sass@latest --save

[epicserve]

@xzyfer,

It looks like this is still an issue, at least for me. I have "gulp-sass": "^4.0.1" in my package.json file and when I run npm i to update my package-lock.json file, I get some vulnerability warnings. When I run npm audit I get 4 warnings like the following.

[epicserve]

@xzyfer,

Also, here is a docker session to prove this is still an issue:

$ docker run -it node:9.11.2-alpine /bin/sh

/ # mkdir code
/ # cd code/

/code # npm init

...

/code # npm install gulp-sass --save-dev
npm WARN notice [SECURITY] hoek has the following vulnerability: 1 moderate. Go here for more details: https://nodesecurity.io/advisories?search=hoek&version=2.16.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.

> node-sass@4.9.1 install /code/node_modules/node-sass
> node scripts/install.js

Downloading binary from https://github.com/sass/node-sass/releases/download/v4.9.1/linux_musl-x64-59_binding.node
Download complete .] - :
Binary saved to /code/node_modules/node-sass/vendor/linux_musl-x64-59/binding.node
Caching binary to /root/.npm/node-sass/4.9.1/linux_musl-x64-59_binding.node

> node-sass@4.9.1 postinstall /code/node_modules/node-sass
> node scripts/build.js

Binary found at /code/node_modules/node-sass/vendor/linux_musl-x64-59/binding.node
Testing binary
Binary is fine
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN gulp-sass-test@1.0.0 No description
npm WARN gulp-sass-test@1.0.0 No repository field.

+ gulp-sass@4.0.1
added 227 packages in 13.239s

/code # npm list node-sass
gulp-sass-test@1.0.0 /code
`-- gulp-sass@4.0.1
  `-- node-sass@4.9.1

/code # cat package-lock.json | grep node-sass
          "node-sass": "4.9.1",
      "node-sass": {
        "resolved": "https://registry.npmjs.org/node-sass/-/node-sass-4.9.1.tgz",

/code # npm install -g npm@latest

/code # npm audit

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   gulp-sass [dev]

  Path            gulp-sass > node-sass > node-gyp > request > hawk > boom >
                  hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   gulp-sass [dev]

  Path            gulp-sass > node-sass > node-gyp > request > hawk >
                  cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   gulp-sass [dev]

  Path            gulp-sass > node-sass > node-gyp > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   gulp-sass [dev]

  Path            gulp-sass > node-sass > node-gyp > request > hawk > sntp >
                  hoek

  More info       https://nodesecurity.io/advisories/566

found 4 moderate severity vulnerabilities in 566 scanned packages
  4 vulnerabilities require manual review. See the full report for details.

[xzyfer]

@epicserve this is a different issue. See nodejs/node-gyp#1471

[magbicaleman]

npm update node-sass@latest --save This also does nothing for me, with version of gulp "gulp-sass": "^4.0.1",

[magbicaleman]

@RileyManda how does your solution work. I update my package-lock.json, removed my node_modules, then ran npm i and it overwrote my changes in my lock file.

[xzyfer]

This is unavoidable for at the moment. We need node-gyp to bump their request dependency.

Redirect your enthusiasm @ nodejs/node-gyp#1492

[RileyManda]

@magbicaleman I simply opened my package-lock.json,then find "hoek"(command F + hoek)in your ide,then replace the current version of all "hoek":"current version" appearance from the current version thats giving you vulnerability issues to:"hoek": "4.2.1".This is what my current package-lock.json file looks like after updating all hoek versions from old version/preinstalled version to 4.2.1:

"boom": { "version": "2.10.1", "resolved": "https://registry.npmjs.org/boom/-/boom-2.10.1.tgz", "integrity": "sha1-OciRjO/1eZ+D+UkqhI9iWt0Mdm8=", "dev": true, "requires": { "hoek": "4.2.1" } },
"hawk": { "version": "3.1.3", "resolved": "https://registry.npmjs.org/hawk/-/hawk-3.1.3.tgz", "integrity": "sha1-B4REvXwWQLD+VA0sm3PVlnjo4cQ=", "dev": true, "requires": { "boom": "2.x.x", "cryptiles": "2.x.x", "hoek": "4.2.1", "sntp": "1.x.x" } },
"hoek": { "version": "4.2.1", "resolved": "https://registry.npmjs.org/hoek/-/hoek-4.2.1.tgz", "integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=", "dev": true },
"sntp": { "version": "1.0.9", "resolved": "https://registry.npmjs.org/sntp/-/sntp-1.0.9.tgz", "integrity": "sha1-ZUEYTMkK7qbG57NeJlkIJEPGYZg=", "dev": true, "requires": { "hoek": "4.2.1", } },
"boom": { "version": "2.10.1", "resolved": "https://registry.npmjs.org/boom/-/boom-2.10.1.tgz", "integrity": "sha1-OciRjO/1eZ+D+UkqhI9iWt0Mdm8=", "dev": true, "requires": { "hoek": "4.2.1" } },
I have only pasted the code snippets for all the hoek occurrences.
I changed the hoek version manually and the vulnerability issue was resolved.

[insetavijit]

any update guys ?