SECURITY: Vulnerability in transient dependency #70

manuelkiessling · 2018-03-07T09:24:38Z

Here is the output of NSP:

yarn run nsp check
yarn run v1.3.2
$ /.bin/nsp check
(+) 1 vulnerability found
┌────────────┬────────────────────────────────────────────────────────────────────┐
│            │ Prototype pollution attack                                         │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Name       │ hoek                                                               │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ CVSS       │ 4 (Medium)                                                         │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Installed  │ 2.16.3                                                             │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ <= 4.2.0 || >= 5.0.0 < 5.0.3                                       │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Patched    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                        │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Path       │ redacted > uppy-server@0.11.1 >                  │
│            │ grant-express@3.8.0 > grant@3.8.0 > request@2.81.0 > hawk@3.1.3 >  │
│            │ hoek@2.16.3                                                        │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ More Info  │ https://nodesecurity.io/advisories/566                             │
└────────────┴────────────────────────────────────────────────────────────────────┘

Also see simov/grant/issues/86 for the issue in the project which can actually fix the problem.

The text was updated successfully, but these errors were encountered:

ifedapoolarewaju · 2018-03-08T06:27:14Z

@manuelkiessling thank you for reporting this. I'll look into it.

simov · 2018-03-14T17:04:11Z

👋 I've resolved the security issue in Grant v4, so all you need to do is bump the version here. Also check out the changelog. Migration should be pretty straightforward.

Let me know if you have any issues!

ifedapoolarewaju · 2018-03-14T23:18:23Z

@simov I did run into an issue after upgrading to Grant 4. See here

simov · 2018-03-15T00:20:08Z

Fixed in version 4.0.1 🎉

ifedapoolarewaju · 2018-03-15T11:44:29Z

upgraded, thanks for all the input in this 😉

manuelkiessling · 2018-03-15T12:01:40Z

@ifedapoolarewaju and @simov, thank you so much for doing such an awesome job for all of us, highly appreciated!

manuelkiessling mentioned this issue Mar 14, 2018

SECURITY: Depend on request@2.83.1 instead of 2.81.0 to mitigate vulnerability in transient dependency hoek@2.16.3 simov/grant#86

Closed

ifedapoolarewaju closed this as completed Mar 15, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SECURITY: Vulnerability in transient dependency #70

SECURITY: Vulnerability in transient dependency #70

manuelkiessling commented Mar 7, 2018

ifedapoolarewaju commented Mar 8, 2018

simov commented Mar 14, 2018

ifedapoolarewaju commented Mar 14, 2018

simov commented Mar 15, 2018

ifedapoolarewaju commented Mar 15, 2018

manuelkiessling commented Mar 15, 2018

SECURITY: Vulnerability in transient dependency #70

SECURITY: Vulnerability in transient dependency #70

Comments

manuelkiessling commented Mar 7, 2018

ifedapoolarewaju commented Mar 8, 2018

simov commented Mar 14, 2018

ifedapoolarewaju commented Mar 14, 2018

simov commented Mar 15, 2018

ifedapoolarewaju commented Mar 15, 2018

manuelkiessling commented Mar 15, 2018