Github potential security vulnerability error for hoek node module

Question

Today github is showing following error on my github repository:

We found a potential security vulnerability in one of your dependencies. A dependency defined in ./package-lock.json has known security vulnerabilities and should be updated.

On clicking on Review vulnerable dependency button following message was displayed:

hoek node module before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge'

Till yesterday it was not showing such error. I have not done any push to this repository for more than 5 days. Any idea why it is happening.

It's very much possible that a security vulnerability in hoek was only discovered recently. It's clearly happening because a) your project uses hoek, b) certain versions of hoek have a security vulnerability, and c) Github now considers this vulnerability sufficiently important to warn you. The fact that you haven't pushed for days is completely irrelevant. — nanofarad, Apr 27 '18 at 02:14

Keith DC · Answer 1 · 2018-04-28T05:21:06.877

I used: rm package-lock.json && npm update && npm install. For me this updated hoek to 4.2.1, which also contains the fix (per this comment.)

Edit: In another app, I ran rm package-lock.json and either npm i hoek && npm up && npm i && npm un hoek or npm i hoek && npm un hoek && npm up && npm i (can't recall order), which is more aligned with this comment (from JamesSingleton).

(rm package-lock.json is only if it exists.)

Edit: In yet a 3rd app, I checked npm outdated and found I had to upgrade react-scripts-ts from 2.13.0 to 2.15.1. For this, I updated the package.json manually, then just ran npm i. Once done, hoek updated to 4.2.1. (specifically targeting that one holdout/primary component).

Edit: My solution for a Zurb Foundation 6 Site:

I updated all my packages to their major versions using npm outdated. I then ran:

npm i hoek@latest --save && npm up hoek

npm i boom hawk sntp uncss gulp-uncss --save && npm up boom hawk sntp uncss gulp-uncss && npm un boom hawk sntp gulp-uncss uncss --save

There were two holdouts; browser-sync : 2.23.7 and node-sass : 4.9.0, both at their latest versions. No matter: the GitHub warning resolved after commit.

I tried all the solutions mentioned by you but unfortunately none of them worked for me. — Yuvraj Patil, May 21 '18 at 15:45
Most of my apps also did not have `hoek` as a direct dependency, but installing it as one propagated the newer version down through the sub-packages. @YuvrajPatil In your `package-lock.json`, what sub-packages show as still dependent on the older `2.16.3`? — Keith DC, May 21 '18 at 19:45
`npm i hoek@latest --save && npm up hoek` worked for me. thank you keith — cup_of, Jul 14 '18 at 06:57

score 5 · Answer 2 · answered Apr 27 '18 at 10:06

5

I used npm update hoek && npm install hoek and the package was updated to 5.0.3.

The vulnerability alert disappeared from my github Repo after that.

answered Apr 27 '18 at 10:06

Uche Mukolo

51
1

On my 3rd app, in addition to upgrading my component, I also had to `npm i hoek && npm up` as well. These dependency warnings are certainly teaching me more about `npm`. – Keith DC Apr 27 '18 at 10:35
1

In my case hoek is not direct dependency hence it did not work. – Yuvraj Patil May 21 '18 at 15:18

Andrea Carraro · Accepted Answer · 2020-05-23T08:37:34.433

npm update should work only if the vulnerable package is declared as direct project's dependency. But usually (as in the case of hoek) vulnerabilities lay in those packages which live down in you sub-dependencies tree.

Since in my case I decided to not update all the dependencies of my project (by deleting and rebuilding the entire package-lock.json file), I went for the following (and, of course, more time consuming) approach:

find all the occurrencies of the vulnerable package in my package-lock.json
follow up the dependency tree to find which top-level packages import them
uninstall and re-install those top-level packages using the same minor version

Like:

npm r package-1 package-2 && npm i package-1@^1.2.3 package-2@^1.2.3

This approach will work only if the vulnerable package was fixed and released and the consuming packages import the vulnerable one with a loose version number open to patch or minor versions.

`node-sass` for example willingly imports the old `hoek` version to maintain backwards compatibility :( https://github.com/sass/node-sass/pull/2170 — Bernhard Döbler, May 28 '18 at 14:26

score 5 · Answer 4 · edited Jun 09 '18 at 01:29

None of the above worked for me. My hoek dependency was deep in the subtrees. I first did npm ls hoek and got something like this:

├── hoek@5.0.3
└─┬ watson-developer-cloud@2.42.0
  ├─┬ request@2.83.0
  │ └─┬ hawk@6.0.2
  │   ├─┬ boom@4.3.1
  │   │ └── hoek@4.2.1  deduped
  │   ├─┬ cryptiles@3.1.2
  │   │ └─┬ boom@5.2.0
  │   │   └── hoek@4.2.1  deduped
  │   ├── hoek@4.2.1
  │   └─┬ sntp@2.1.0
  │     └── hoek@4.2.1  deduped
  └─┬ solr-client@0.7.0
    └─┬ request@2.81.0
      └─┬ hawk@3.1.3
        ├─┬ boom@2.10.1
        │ └── hoek@2.16.3  deduped
        ├── hoek@2.16.3
        └─┬ sntp@1.0.9
          └── hoek@2.16.3  deduped

I then saw that what really needs to be updated is watson-developer-cloud since that is what using hoek at the top level.

I then did npm install watson-developer-cloud@latest and that solved it.

score 1 · Answer 5 · answered May 25 '18 at 07:30

1

Try run npm install hoek@4.2.x or npm install hoek@5 in your project.

That will install the required latest version of hoek into package.json dependencies overwriting above hoek version in package-lock.json.

answered May 25 '18 at 07:30

Arun Kumar Sahoo

36
1
5

1

In my case hoek is not direct dependency hence it did not work. – Yuvraj Patil May 25 '18 at 08:40
Can you please provide some more inputs about your code to help understand your case better. – Arun Kumar Sahoo May 25 '18 at 10:42

score 0 · Answer 6 · edited May 18 '18 at 14:19

0

Found a solution here.

Basically in git bash, cd to your project folder, type the following codes:

npm i hoek  
npm uninstall hoek 
npm update 
npm install

then

git add .
git commit -m 'update-hoek'
git push origin master

Now check your GitHub project page again, the warning should disappear.

Regards.

edited May 18 '18 at 14:19

Engineero

12,340
5
53
75

answered May 02 '18 at 11:35

sheldonfish

71
2
9

1

In my case hoek is not direct dependency hence it did not work. – Yuvraj Patil May 21 '18 at 15:44

score 0 · Answer 7 · answered Jul 12 '18 at 00:54

I tried all the above, but non worked for me, so I went ahead to check the root cause of mine.

I ran npm ls hoek which gave me:

├─┬ fuse-box@3.3.0
│ └─┬ request@2.81.0
│   └─┬ hawk@3.1.3
│     ├─┬ boom@2.10.1
│     │ └── hoek@2.16.3
│     ├── hoek@2.16.3
│     └─┬ sntp@1.0.9
│       └── hoek@2.16.3
└── hoek@5.0.3

I noticed the version of my hawk against the one on npm hawk, so I ran npm i hawk --save. After which I again ran my normal git commands:

git add .
git commit -m 'whatever_message'
git push

And went back to Github and my security vulnerability was fixed.

score 0 · Answer 8 · answered Dec 30 '18 at 16:59

Yes, the package CVE-2018-3728 is vulnerable. The versions of hoek prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution. The affected versions of hoek are until version 5.0.2, The remediation is to update to version 4.2.1, 5.0.3 or later. For more information, you can view the fix pull request here: https://github.com/hapijs/hoek/pull/231/commits/5aed1a8c4a3d55722d1c799f2368857bf418d6df

Github potential security vulnerability error for hoek node module

8 Answers8

Linked