Github potential security vulnerability error for hoek node module

问题

Today github is showing following error on my github repository:

We found a potential security vulnerability in one of your dependencies. A dependency defined in ./package-lock.json has known security vulnerabilities and should be updated.

On clicking on Review vulnerable dependency button following message was displayed:

hoek node module before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge'

Till yesterday it was not showing such error. I have not done any push to this repository for more than 5 days. Any idea why it is happening.

回答1:

I used: rm package-lock.json && npm update && npm install. For me this updated hoek to 4.2.1, which also contains the fix (per this comment.)

Edit: In another app, I ran rm package-lock.json and either npm i hoek && npm up && npm i && npm un hoek or npm i hoek && npm un hoek && npm up && npm i (can't recall order), which is more aligned with this comment (from JamesSingleton).

(rm package-lock.json is only if it exists.)

Edit: In yet a 3rd app, I checked npm outdated and found I had to upgrade react-scripts-ts from 2.13.0 to 2.15.1. For this, I updated the package.json manually, then just ran npm i. Once done, hoek updated to 4.2.1. (specifically targeting that one holdout/primary component).

Edit: My solution for a Zurb Foundation 6 Site:

I updated all my packages to their major versions using npm outdated. I then ran:

npm i hoek@latest --save && npm up hoek

npm i boom hawk sntp uncss gulp-uncss --save && npm up boom hawk sntp uncss gulp-uncss && npm un boom hawk sntp gulp-uncss uncss --save

There were two holdouts; browser-sync : 2.23.7 and node-sass : 4.9.0, both at their latest versions. No matter: the GitHub warning resolved after commit.

回答2:

I used npm update hoek && npm install hoek and the package was updated to 5.0.3.

The vulnerability alert disappeared from my github Repo after that.

回答3:

npm update should work only if the vulnerable package is declared as direct project's dependency. But usually (as in the case of hoek) vulnerabilities lay in those packages which lay down in you sub-dependencies tree.

Since in my case I decided to not update all the dependencies of my project (by deleting and rebuilding the entire package-lock.json file), I went for the following (and, of course, more time consuming) approach:

• find all the occurrencies of the vulnerable package in my package-lock.json
• bubble up the dependency tree to find which top-level packages import them
• uninstall and re-install those top-level packages using the same minor version

Like:

npm r package-1 package-2 && npm i package-1@^1.2.3 package-2@^1.2.3

This approach will work only if the vulnerable package was fixed and released and the consuming packages import the vulnerable one with a loose version number open to patch or minor versions.

回答4:

None of the above worked for me. My hoek dependency was deep in the subtrees. I first did npm ls hoek and got something like this:

├── hoek@5.0.3
└─┬ watson-developer-cloud@2.42.0
  ├─┬ request@2.83.0
  │ └─┬ hawk@6.0.2
  │   ├─┬ boom@4.3.1
  │   │ └── hoek@4.2.1  deduped
  │   ├─┬ cryptiles@3.1.2
  │   │ └─┬ boom@5.2.0
  │   │   └── hoek@4.2.1  deduped
  │   ├── hoek@4.2.1
  │   └─┬ sntp@2.1.0
  │     └── hoek@4.2.1  deduped
  └─┬ solr-client@0.7.0
    └─┬ request@2.81.0
      └─┬ hawk@3.1.3
        ├─┬ boom@2.10.1
        │ └── hoek@2.16.3  deduped
        ├── hoek@2.16.3
        └─┬ sntp@1.0.9
          └── hoek@2.16.3  deduped

I then saw that what really needs to be updated is watson-developer-cloud since that is what using hoek at the top level.

I then did npm install watson-developer-cloud@latest and that solved it.

回答5:

Try run npm install hoek@4.2.x or npm install hoek@5 in your project.

That will install the required latest version of hoek into package.json dependencies overwriting above hoek version in package-lock.json.

回答6:

Found a solution here.

Basically in git bash, cd to your project folder, type the following codes:

npm i hoek  
npm uninstall hoek 
npm update 
npm install  

then

git add .
git commit -m 'update-hoek'
git push origin master 

Now check your GitHub project page again, the warning should disappear.

Regards.

回答7:

I tried all the above, but non worked for me, so I went ahead to check the root cause of mine.

I ran npm ls hoek which gave me:

├─┬ fuse-box@3.3.0
│ └─┬ request@2.81.0
│   └─┬ hawk@3.1.3
│     ├─┬ boom@2.10.1
│     │ └── hoek@2.16.3
│     ├── hoek@2.16.3
│     └─┬ sntp@1.0.9
│       └── hoek@2.16.3
└── hoek@5.0.3

I noticed the version of my hawk against the one on npm hawk, so I ran npm i hawk --save. After which I again ran my normal git commands:

git add .
git commit -m 'whatever_message'
git push 

And went back to Github and my security vulnerability was fixed.

回答8:

Yes, the package CVE-2018-3728 is vulnerable. The versions of hoek prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution. The affected versions of hoek are until version 5.0.2, The remediation is to update to version 4.2.1, 5.0.3 or later. For more information, you can view the fix pull request here: https://github.com/hapijs/hoek/pull/231/commits/5aed1a8c4a3d55722d1c799f2368857bf418d6df

来源：https://stackoverflow.com/questions/50053991/github-potential-security-vulnerability-error-for-hoek-node-module