Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vscode NPM module: Vulnerability alert for hoek < 5.0.3 #48783

Closed
gwicksted opened this issue Apr 26, 2018 · 26 comments
Closed

vscode NPM module: Vulnerability alert for hoek < 5.0.3 #48783

gwicksted opened this issue Apr 26, 2018 · 26 comments
Assignees
@bpasero
Labels
debt Code quality issues *duplicate Issue identified as a duplicate of another issue(s) extensions Issues concerning extensions

Comments

@gwicksted
Copy link

  • VSCode Version:1.1.14
  • OS Version:10.0.16299.0

Steps to Reproduce:

  1. Create a new plugin project referencing vscode
  2. Commit to github repo
  3. Receive vulnerability report from github due to github scanning package.json and package-lock.json indicating:
Known vulnerability found
CVE-2018-3728
Moderate severity
hoek node module before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' ...

package-lock.json update suggested:
hoek ~> 5.0.3
Always verify the validity and compatibility of suggestions with your codebase.

Does this issue occur when all extensions are disabled?: Yes (N/A)

CVE-2018-3728

I'm not sure if this can be solved without third-party buy-in from the following (npm ls hoek):

`-- vscode@1.1.14
  +-- gulp-remote-src@0.4.3
  | `-- request@2.79.0
  |   `-- hawk@3.1.3
  |     +-- boom@2.10.1
  |     | `-- hoek@2.16.3
  |     +-- hoek@2.16.3
  |     `-- sntp@1.0.9
  |       `-- hoek@2.16.3
  `-- request@2.85.0
    `-- hawk@6.0.2
      +-- boom@4.3.1
      | `-- hoek@4.2.1
      +-- cryptiles@3.1.2
      | `-- boom@5.2.0
      |   `-- hoek@4.2.1
      +-- hoek@4.2.1
      `-- sntp@2.1.0
        `-- hoek@4.2.1  deduped

My plugin paste-escaped shows the github report

It is likely vscode itself has not been notified due to the use of yarn vs npm thus a different lockfile format.
@eamodio
Copy link
Contributor

eamodio commented Apr 26, 2018

I've seen the same alert from GitHub on all my extensions.

@westonedwards
Copy link

Same for me with several of my stuff- ideas on how to correct the issue?

@jsc215
Copy link

jsc215 commented Apr 27, 2018

I am having the same exact issue. A google search led me here. Any solutions thus far?

@ICeZer0
Copy link

ICeZer0 commented Apr 27, 2018

ditto! 😮

@justin-blankenship
Copy link

Same here.

@nnguy152
Copy link

Same!! What do

@papakay
Copy link

papakay commented Apr 27, 2018

Same here. Please how do i resolve this?

@danlauby
Copy link

How does one update package-lock.json to the recommended version of hoek ~> 5.0.3?

@EmmanuelOgbewe
Copy link

Same!

@damianperera
Copy link

@dadlerj updating your NPM modules should automatically sync the package-lock.json file. Simply run npm update in your project root.

@JamesSingleton
Copy link

@damianperera even after running npm update my hoek version is at 4.2.0 even after removing the package-lock.json file, running npm update as well as npm install

@damianperera
Copy link

@JamesSingleton if hoek is being used by another module(s) that you installed via npm and not specifically by your project, you will need to wait until that module(s) is updated before issuing a npm update on your own project.

@llighter
Copy link

Same for me.

@JamesSingleton
Copy link

Hmm I wonder what else could be using it other than what is installed for the project... I have 5 projects with this notification. Thankfully they are older projects, but would like to get it updated.

@bpasero
Copy link
Member

bpasero commented Apr 27, 2018

This depends on request/request#2926 which we depend on.

@bpasero bpasero self-assigned this Apr 27, 2018
@bpasero bpasero added the extensions Issues concerning extensions label Apr 27, 2018
@bpasero bpasero added this to the May 2018 milestone Apr 27, 2018
@bpasero bpasero changed the title Vulnerability alert for hoek < 5.0.3 vscode NPM module: Vulnerability alert for hoek < 5.0.3 Apr 27, 2018
@bpasero bpasero added the debt Code quality issues label Apr 27, 2018
@charmeem
Copy link

charmeem commented Apr 27, 2018
edited

Instead of updating I tried:
npm i hoek
and it updated hoek to 5.0.3

@hunterlong
Copy link

+1

@JamesSingleton
Copy link

I took @charmeem idea a step further and it doesn't seem to have impacted anything. So I did npm i hoek which then created a new dependency in my package.json that wasn't there before. After that, I did npm uninstall hoek, npm update for good measure and then I did npm install and now I don't have the warning message.

Once again, I am not sure of the impact on this as I was still able to run my code and everything like that. I just mainly wanted to stop the notifications from GitHub on my older projects.

@TizioFittizio
Copy link

I followed @JamesSingleton steps and its worked for me, now github marks the vulnerability in my repo as resolved

@JamesSingleton
Copy link

@TizioFittizio just keep in mind that it removes hoek from your package-lock.json. However, some other stuff will have it as a dependency for later version... I think I saw one that had a dependency of hoek 2.2. But like I said, I'm not entirely sure what it's used for as my app was still able to run just fine.

@llighter
Copy link

I also followed the @JamesSingleton steps.
It's worked for me too.

@bpasero bpasero mentioned this issue Apr 27, 2018
Closed
@bpasero
Copy link
Member

bpasero commented Apr 27, 2018

Moving into microsoft/vscode-extension-vscode#106 where it belongs.

@bpasero bpasero closed this as completed Apr 27, 2018
@bpasero bpasero removed this from the May 2018 milestone Apr 27, 2018
@bpasero bpasero added the *duplicate Issue identified as a duplicate of another issue(s) label Apr 27, 2018
@jhigman jhigman mentioned this issue Apr 27, 2018
Closed
@AkA84 AkA84 mentioned this issue Apr 27, 2018
Merged
@gdbarnes gdbarnes mentioned this issue Apr 30, 2018
Merged
@sheldonfish
Copy link

worked for me with @JamesSingleton 's solution (npm i hoek, npm uninstall hoek, npm update, npm install). Thanks!
👍

xianmin added a commit to xianmin/hugo-theme-jane that referenced this issue May 3, 2018
@xianmin
fix: hoek node module vulnerability (CVE-2018-3728) #50
16d1d32 
microsoft/vscode#48783
skmdev added a commit to skmdev/koa-decorator-ts that referenced this issue May 3, 2018
@skmdev
reference microsoft/vscode#48783 (comment)
5843c1c
@oscar-gomez
Copy link

I followed @JamesSingleton steps and worked for me, thanks!!

@usmanaliqureshi
Copy link

Another alternative way is to use npm audit which will display all the vulnerable / out-dated dependencies in your package.json or package-lock.json and then you can simply follow the instructions shown along with the other information by the audit.

@EricHanLiu EricHanLiu mentioned this issue May 18, 2018
Closed
iocron added a commit to iocron/typo3-gulp-scss that referenced this issue May 31, 2018
@iocron
https://github.com/Microsoft/vscode/issues/48783
876aceb 
Dependency (Hapijs / Hoek, currently v2.16.3) Security Issue / Fix:

hoek node module before 5.0.3 or 4.2.1 suffers from a Modification of Assumed-Immutable Data (MAID)

microsoft/vscode#48783
https://nvd.nist.gov/vuln/detail/CVE-2018-3728
@boompah
Copy link

boompah commented Jun 4, 2018

Thanks @JamesSingleton really appreciate it! Followed the steps and it worked.

@vscodebot vscodebot bot locked and limited conversation to collaborators Jun 11, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bpasero bpasero

Labels
debt Code quality issues *duplicate Issue identified as a duplicate of another issue(s) extensions Issues concerning extensions
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests