Skip to content
This repository has been archived by the owner on Jul 24, 2024. It is now read-only.

Security issue in dependencies #2355

Closed
noraj opened this issue Apr 27, 2018 · 74 comments · Fixed by #2435
Closed

Security issue in dependencies #2355

noraj opened this issue Apr 27, 2018 · 74 comments · Fixed by #2435

Comments

@noraj
Copy link

noraj commented Apr 27, 2018

Update

Resolved in node-sass@4.9.3. Upgrade to quiet npm.


hoek@2.16.3 is vulnerable to CVE-2018-3728

for node-sass the problem comes from requiring request@2.79.0 in the package.json

dependency tree is as follow for 4.8.3

node-sass@4.8.3
|-request@2.79.0
 |-hawk@3.1.3
  |-hoek@2.16.3

and is the same for 4.9.0:

node-sass@4.9.0
|-request@2.79.0
 |-hawk@3.1.3
  |-hoek@2.16.3

Fix

To fix this request@2.82.0 or superior is required.

Context

  • NPM version (npm -v): 5.8.0
  • Node version (node -v): v9.11.1
  • Node Process (node -p process.versions):
{ http_parser: '2.8.0',
  node: '9.11.1',
  v8: '6.2.414.46-node.23',
  uv: '1.19.2',
  zlib: '1.2.11',
  ares: '1.13.0',
  modules: '59',
  nghttp2: '1.29.0',
  napi: '3',
  openssl: '1.0.2o',
  icu: '61.1',
  unicode: '10.0',
  cldr: '33.0',
  tz: '2018c' }
  • Node Platform (node -p process.platform): linux
  • Node architecture (node -p process.arch): x64
  • node-sass version (node -p "require('node-sass').info"):
node-sass	4.9.0	(Wrapper)	[JavaScript]
libsass  	3.5.4	(Sass Compiler)	[C/C++]
  • npm node-sass versions (npm ls node-sass):
├─┬ gulp-sass@4.0.1
│ └── node-sass@4.9.0  deduped
└── node-sass@4.9.0 

Related issues

request:

request/request#2926
request/request#2874

node-sass:

#2352
#2288
#2262
#2252
#2170
#2256

Problem

xzyfer in #2352

It cannot be fixed without break node < 4 support

I also see in #2288 that the problem is solved in node-sass v5.

So this ticket need to stay opened until v5 is released. Please don't close it.

@samrispaud
Copy link

i see the fix is on master :) is there a timeline on when the next major or minor release will be with this change?

@xzyfer
Copy link
Contributor

xzyfer commented May 7, 2018 via email

@noraj
Copy link
Author

noraj commented May 8, 2018

@samrispaud

That's what I said ;-)

I also see in #2288 that the problem is solved in node-sass v5.

So this ticket need to stay opened until v5 is released. Please don't close it.

@cloakedninjas
Copy link

What about creating a 4.10.0 release that just bumps the request dependency ?

@xzyfer
Copy link
Contributor

xzyfer commented May 9, 2018 via email

@noraj
Copy link
Author

noraj commented May 9, 2018

@cloakedninjas It's a wait and see for v5 release.

@chriseppstein
Copy link
Contributor

As I understand it, you can change the node engine version requirement and do a minor release. It doesn't violate semver for the people on the old node versions because the new versions of the package are excluded from that code's dependency version resolution.

@xzyfer
Copy link
Contributor

xzyfer commented May 9, 2018 via email

@ataylorme
Copy link

Node 4 became end of life on May 1st (source). Can you provide some background on the decision to continue supporting it after end of life rather than pushing out a security fix? I'm not disagreeing with any decision but rather seek to understand it. For example, are there a large number of Node 4 users?

@noraj

This comment has been minimized.

@florianbrinkmann
Copy link

node-gyp, another dependency of node-sass, also uses the old version of the request library. I asked if they would update it, but the answer was no. Does that mean that the security issue will remain because both request dependencies will be loaded (the updated one from node-sass and the old one from node-gyp)?

@Rohithzr

This comment has been minimized.

@akuznetsov-gridgain

This comment has been minimized.

@andrevenancio

This comment has been minimized.

@xzyfer
Copy link
Contributor

xzyfer commented Jul 4, 2018

Why do you keep deleting comments from people?

"mee too" and "+1" comments add no practical value. They only add noise.

Is there guidelines on how to comment an issue that we're breaking

Comments should add some new information to the issue at hand. Otherwise they're just adding more work for people trying to the useful information in the issue.

In most cases the (now deleted) comments showed no indication the OP had made any effort to read the existing discussion.

The point of commenting on an open source project is to voice our [..]

You can use GitHubs to emoji reactions to add support for an issue, or subscribe for updates.

to support a minority of people using node < 4

Please don't make baseless generalisations. We still get a lot of install for Node < 4. Even a minority of users at our install volume is a lot of installs.

For v5 we made the hard to call to drop support for Node < 6.


We've explained multiple times in this issue why this is blocked, however hidden by GitHub due to the high volume of "me too" comments.

As a summary:

  • we are unable to upgrade without breaking things Node < 4 users
  • v5 updates our dependency on request
    • but node-gyp is still locked the same version for the same reason

After some investigation from @Rohithzr in #2417 there isn't a path for us to drop our dependency on node-gyp at this time. So npm audit will continue to complain (as far as we've been informed).

We will be moving forward with v5 in the coming weeks, but at this point in time it's unclear whether the request update will quiet the warning.

@xzyfer
Copy link
Contributor

xzyfer commented Jul 4, 2018

Update

request@2.87.0 removed the dependency on hoek (request/request#2943)
recently. This restores support for Node < 4. This means we bump
to the latest request which hopefully resolves npm audit warnings.

Should we need to address node-gyp warning we'll track that in a
different issue.

@Rohithzr
Copy link

Rohithzr commented Jul 4, 2018

@xzyfer thats a great news i suppose, I shall run some tests and make a PR

@vishnugupta20

This comment has been minimized.

@xzyfer
Copy link
Contributor

xzyfer commented Jul 4, 2018

@Rohithzr see #2435

I've tested locally and it looks positive. We'll see what CI thinks.

@Rohithzr

This comment has been minimized.

@xzyfer
Copy link
Contributor

xzyfer commented Jul 4, 2018

@vishnugupta20 if #2435 passes I'll release a v4.9.1 with request updated in the next 24hrs.

@vishnugupta20

This comment has been minimized.

@Rohithzr

This comment has been minimized.

@guidobouman
Copy link

One thing to note is that this security issue is mainly irrelevant to node-sass. GitHub is flagging this as a security vulnerability, but node-sass never sees any exposure to your live code. The attack vector is when a request from the outside world can trigger a node-sass build with custom data. CSS is (usually) precompiled during a build stage, whether on a CI or a local machine. It runs on machines you protect from the outside world, it's never really exposed on a network.

Anything opening node-sass to the outside world is a highly specific case. The only use case I can currently think of is something like CodePen / JSFiddle. And even then my best guess is that node-sass is not vulnerable because nor they nor request use methods that could lead to remote code execution.

@xzyfer
Copy link
Contributor

xzyfer commented Jul 4, 2018 via email

@bardware

This comment has been minimized.

@guidobouman

This comment has been minimized.

@ryanrolds

This comment has been minimized.

@rooby

This comment has been minimized.

@xzyfer
Copy link
Contributor

xzyfer commented Jul 5, 2018

Update

Resolved in node-sass@4.9.1. Upgrade to quiet npm.

@sass sass locked as resolved and limited conversation to collaborators Jul 5, 2018
@nschonni
Copy link
Contributor

Re-opening till nodejs/node-gyp#1471 lands, but keeping locked

@nschonni nschonni reopened this Jul 26, 2018
nschonni added a commit to nschonni/node-sass that referenced this issue Aug 9, 2018
@nschonni
Copy link
Contributor

nschonni commented Aug 9, 2018

node-gyp 3.8.0 was released with a bump in their request version https://github.com/nodejs/node-gyp/blob/master/CHANGELOG.md#v380-2018-08-09.
Clearing your lockfile and re-installing may resolve your issues now. PR to update the minimum version in this repo has been submited.

xzyfer pushed a commit that referenced this issue Aug 9, 2018
@xzyfer
Copy link
Contributor

xzyfer commented Aug 9, 2018

Update

Resolved in node-sass@4.9.3. Upgrade to quiet npm.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.