-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hawk dependency causes security risk #2874
Comments
Yup! Same one, with different path (for some reason…?): request@2.83.0 > hawk@3.1.3 > hoek@2.16.3 |
Latest |
In order to avoid a known vulnerability in hoek. request@2.83.0 > hawk@6.0.2 > hoek@4.2.0 https://nodesecurity.io/advisories/566 https://hackerone.com/reports/310439 Closes request#2874
This is also an issue with earlier releases. We use Btw |
Bcrypt, with more than half a million downloads last month according to npm is also vulnerable to the Prototype Pollution Attack due to |
@ferrao there is an open issue in |
Just update hawk line to >= v7.x.x hoek has been updated to last which is patched according to nsp:
|
+1 |
Is there a timeline for publishing |
@preeteshjain raised a PR, but there are a number of test failures, so it might not be a trivial fix. |
@jwalton There's definitely some issue with the CI integration. I checked on Travis, it is failing with this error for everyone:
See this comment: #2871 (comment) |
@preeteshjain actually for me the tests doesn't work locally either |
-1 break node6 support |
Then we should update the required NodeJS version for request to a version that is working... ;) Also since the current LTS is 8,10,0 I don't see a point to insist on using NodeJS 6. |
Boron is in LTS until April 2019. Please do not break v6 support until it enters EOL. |
Hoek's backported the fix and released it with 4.2.1, which satisfies the required versions all the way up the dependency tree without needing any changes in this repo. I was able to clear out the security notice by forcing an update:
Clearing out your |
Yep. hoek 4.2.1 was released 2 months ago to fix the vulnerability. hawk@6.0.2's dependency on hoek is pinned at 4.x, meaning that if you reinstall fresh you should be pulling down 4.2.1. If you are pulling down 4.2.0 that is an issue with your project/package manager, not request. |
And now |
Almost fixed hoek package, dependency of hawk -> request -> node-sass request/request#2874 Waiting for version 5 of node-sass sass/node-sass#2170
This seems to have been fixed. See: |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
I recently ran a Node Security scan on a project that uses Request and found a security issue related to the version of Hawk (and subsequently Hoek) that Request is using.
request@2.83.0 > hawk@6.0.2 > hoek@4.2.0
https://nodesecurity.io/advisories/566
https://hackerone.com/reports/310439
The text was updated successfully, but these errors were encountered: