Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Prototype pollution attack

See original GitHub issue

If you’re getting a deprecated module warning, don’t worry about it: we’re aware of it and it’s not an issue. To make it go away, update to Gulp 4.0.

I am actually getting a “Prototype pollution attack” as follows from my nsp-check when trying to publish my package on npm.

│            │ Prototype pollution attack                                         │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Name       │ hoek                                                               │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ CVSS       │ 4 (Medium)                                                         │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Installed  │ 2.16.3                                                             │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ <= 4.2.0 || >= 5.0.0 < 5.0.3                                       │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Patched    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                        │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Path       │ coffee-babel@1.0.1 > gulp@4.0.0 > glob-watcher@5.0.1 >             │
│            │ chokidar@2.0.3 > fsevents@1.1.3 > node-pre-gyp@0.6.39 > hawk@3.1.3 │
│            │ > hoek@2.16.3                                                      │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ More Info  │ https://nodesecurity.io/advisories/566

What were you expecting to happen? Publish without errors.

What actually happened? I get the above message and the package is not published.

Please post a sample of your gulpfile (preferably reduced to just the bit that’s not working) gulpfile works great - the issue is with hoek. I have tried simply running yarn add hoek@latest but that doesn’t work.

What version of gulp are you using? @next = 4.0.0 What versions of npm and node are you using? node v.9.11.1 npm v5.6.0 yarn v1.5.1 macOS v10.13.4

Issue Analytics

State:
Created 5 years ago
Comments:10 (6 by maintainers)

Top GitHub Comments

1reaction

demurgoscommented, Apr 11, 2018

A few recommendations:

Keep your builds out of git, publish the built files to npm.
Use prepare to build your files instead of prepublish. It is run on manual installation, before publishing to npm or when installed as a Github dependency. It is usually the behavior you want (prebublish had some weird behaviors and is kinda deprecated).
Prefer to configure "files" in package.json instead of .npmignore. It acts as a whitelist and is easier to maintain.

0reactions

jhessincommented, Apr 11, 2018

Awesome. I will keep those things in mind.

Jim Hessin

On Apr 11, 2018, at 5:33 AM, Charles Samborski notifications@github.com wrote:

A few recommendations:

Keep your builds out of git, publish the built files to npm. Use prepare to build your files instead of prepublish. It is run on manual installation, before publishing to npm or when installed as a Github dependency. It is usually the behavior you want (prebublish had some weird behaviors and is kinda deprecated). Prefer to configure “files” in package.json instead of .npmignore. It acts as a whitelist and is easier to maintain. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

Top Results From Across the Web

What is prototype pollution? | Tutorial & examples - Snyk Learn

Prototype pollution is an injection attack that targets JavaScript runtimes. With prototype pollution, an attacker might control the default values of an ...

Prototype pollution: The dangerous and underrated ...

Other prototype pollution attacks involve adding properties and methods to object to manipulate the behavior of an application.

What Is Prototype Pollution? | Risks & Mitigation - Imperva

Prototype pollution is a vulnerability that enables threat actors to exploit JavaScript runtimes. In a prototype pollution attack, threat actors inject ...

Everything you need to know about Prototype Pollution

Prototype Pollution is a vulnerability that allows attackers to exploit the rules of the JavaScript programming language, by injecting properties into ...

The Complete Guide to Prototype Pollution Vulnerabilities

An in-depth look at Prototype Pollution vulnerabilities and how to ... Researchers started to discuss it as a potential attack vector around ...