Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hoek node module vulnerability (CVE-2018-3728) defined in jane/package-lock.json #50

Closed
ghost opened this issue May 2, 2018 · 3 comments
Closed

hoek node module vulnerability (CVE-2018-3728) defined in jane/package-lock.json #50

ghost opened this issue May 2, 2018 · 3 comments
Labels
good first issue Good for newcomers help wanted Extra attention is needed

Comments

@ghost
Copy link

ghost commented May 2, 2018

https://nvd.nist.gov/vuln/detail/CVE-2018-3728

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

file jane/package-lock.json

    "hoek": {
      "version": "2.16.3",
      "resolved": "http://registry.npm.taobao.org/hoek/download/hoek-2.16.3.tgz",
      "integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=",
      "dev": true
    }

2018-05-02_12-37-17
2018-05-02_12-39-38
xianmin added a commit that referenced this issue May 3, 2018
@xianmin
fix: hoek node module vulnerability (CVE-2018-3728) #50
16d1d32 
microsoft/vscode#48783
@xianmin
Copy link
Owner

xianmin commented May 3, 2018

I have updated the npm packages and package-lock.json. I'm not sure if this problem is fixed.

@xianmin xianmin added help wanted Extra attention is needed good first issue Good for newcomers labels May 3, 2018
@Zebradil
Copy link
Collaborator

Zebradil commented May 3, 2018

Still have

        "hoek": {
          "version": "2.16.3",
          "resolved": "https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz",
          "integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=",
          "dev": true
        },

This version is required by hawk, sntp and boom packages. Not sure if we really can avoid these dependencies.

@xianmin
Copy link
Owner

xianmin commented May 3, 2018

Related issue:

sass/node-sass#2355

@xianmin xianmin closed this as completed Dec 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Zebradil @xianmin