question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. ItΒ collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Prototype pollution attack

See original GitHub issue
  • If you’re getting a deprecated module warning, don’t worry about it: we’re aware of it and it’s not an issue. To make it go away, update to Gulp 4.0.

I am actually getting a β€œPrototype pollution attack” as follows from my nsp-check when trying to publish my package on npm.

β”‚            β”‚ Prototype pollution attack                                         β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Name       β”‚ hoek                                                               β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ CVSS       β”‚ 4 (Medium)                                                         β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Installed  β”‚ 2.16.3                                                             β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Vulnerable β”‚ <= 4.2.0 || >= 5.0.0 < 5.0.3                                       β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Patched    β”‚ > 4.2.0 < 5.0.0 || >= 5.0.3                                        β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Path       β”‚ coffee-babel@1.0.1 > gulp@4.0.0 > glob-watcher@5.0.1 >             β”‚
β”‚            β”‚ chokidar@2.0.3 > fsevents@1.1.3 > node-pre-gyp@0.6.39 > hawk@3.1.3 β”‚
β”‚            β”‚ > hoek@2.16.3                                                      β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ More Info  β”‚ https://nodesecurity.io/advisories/566               

What were you expecting to happen? Publish without errors.

What actually happened? I get the above message and the package is not published.

Please post a sample of your gulpfile (preferably reduced to just the bit that’s not working) gulpfile works great - the issue is with hoek. I have tried simply running yarn add hoek@latest but that doesn’t work.

What version of gulp are you using? @next = 4.0.0 What versions of npm and node are you using? node v.9.11.1 npm v5.6.0 yarn v1.5.1 macOS v10.13.4

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:10 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
demurgoscommented, Apr 11, 2018

A few recommendations:

  • Keep your builds out of git, publish the built files to npm.
  • Use prepare to build your files instead of prepublish. It is run on manual installation, before publishing to npm or when installed as a Github dependency. It is usually the behavior you want (prebublish had some weird behaviors and is kinda deprecated).
  • Prefer to configure "files" in package.json instead of .npmignore. It acts as a whitelist and is easier to maintain.
0reactions
jhessincommented, Apr 11, 2018

Awesome. I will keep those things in mind.

  • Jim Hessin

On Apr 11, 2018, at 5:33 AM, Charles Samborski notifications@github.com wrote:

A few recommendations:

Keep your builds out of git, publish the built files to npm. Use prepare to build your files instead of prepublish. It is run on manual installation, before publishing to npm or when installed as a Github dependency. It is usually the behavior you want (prebublish had some weird behaviors and is kinda deprecated). Prefer to configure β€œfiles” in package.json instead of .npmignore. It acts as a whitelist and is easier to maintain. β€” You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

Read more comments on GitHub >

github_iconTop Results From Across the Web

What is prototype pollution? | Tutorial & examples - Snyk Learn
Prototype pollution is an injection attack that targets JavaScript runtimes. With prototype pollution, an attacker might control the default values of anΒ ...
Read more >
Prototype pollution: The dangerous and underrated ...
Other prototype pollution attacks involve adding properties and methods to object to manipulate the behavior of an application.
Read more >
What Is Prototype Pollution? | Risks & Mitigation - Imperva
Prototype pollution is a vulnerability that enables threat actors to exploit JavaScript runtimes. In a prototype pollution attack, threat actors injectΒ ...
Read more >
Everything you need to know about Prototype Pollution
Prototype Pollution is a vulnerability that allows attackers to exploit the rules of the JavaScript programming language, by injecting properties intoΒ ...
Read more >
The Complete Guide to Prototype Pollution Vulnerabilities
An in-depth look at Prototype Pollution vulnerabilities and how to ... Researchers started to discuss it as a potential attack vector aroundΒ ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found