Prototype pollution attack
See original GitHub issue- If youβre getting a deprecated module warning, donβt worry about it: weβre aware of it and itβs not an issue. To make it go away, update to Gulp 4.0.
I am actually getting a βPrototype pollution attackβ as follows from my nsp-check when trying to publish my package on npm.
β β Prototype pollution attack β
ββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Name β hoek β
ββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CVSS β 4 (Medium) β
ββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Installed β 2.16.3 β
ββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Vulnerable β <= 4.2.0 || >= 5.0.0 < 5.0.3 β
ββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched β > 4.2.0 < 5.0.0 || >= 5.0.3 β
ββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β coffee-babel@1.0.1 > gulp@4.0.0 > glob-watcher@5.0.1 > β
β β chokidar@2.0.3 > fsevents@1.1.3 > node-pre-gyp@0.6.39 > hawk@3.1.3 β
β β > hoek@2.16.3 β
ββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More Info β https://nodesecurity.io/advisories/566
What were you expecting to happen? Publish without errors.
What actually happened? I get the above message and the package is not published.
Please post a sample of your gulpfile (preferably reduced to just the bit thatβs not working)
gulpfile works great - the issue is with hoek. I have tried simply running yarn add hoek@latest
but that doesnβt work.
What version of gulp are you using? @next = 4.0.0 What versions of npm and node are you using? node v.9.11.1 npm v5.6.0 yarn v1.5.1 macOS v10.13.4
Issue Analytics
- State:
- Created 5 years ago
- Comments:10 (6 by maintainers)
Top Results From Across the Web
What is prototype pollution? | Tutorial & examples - Snyk Learn
Prototype pollution is an injection attack that targets JavaScript runtimes. With prototype pollution, an attacker might control the default values of anΒ ...
Read more >Prototype pollution: The dangerous and underrated ...
Other prototype pollution attacks involve adding properties and methods to object to manipulate the behavior of an application.
Read more >What Is Prototype Pollution? | Risks & Mitigation - Imperva
Prototype pollution is a vulnerability that enables threat actors to exploit JavaScript runtimes. In a prototype pollution attack, threat actors injectΒ ...
Read more >Everything you need to know about Prototype Pollution
Prototype Pollution is a vulnerability that allows attackers to exploit the rules of the JavaScript programming language, by injecting properties intoΒ ...
Read more >The Complete Guide to Prototype Pollution Vulnerabilities
An in-depth look at Prototype Pollution vulnerabilities and how to ... Researchers started to discuss it as a potential attack vector aroundΒ ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
A few recommendations:
prepare
to build your files instead ofprepublish
. It is run on manual installation, before publishing to npm or when installed as a Github dependency. It is usually the behavior you want (prebublish had some weird behaviors and is kinda deprecated)."files"
inpackage.json
instead of.npmignore
. It acts as a whitelist and is easier to maintain.Awesome. I will keep those things in mind.