[solved] Email from GitHub: Security vulnerability in package-lock.json?

#1

I just received an email from GitHub saying a couple of my projects have a version of package-lock.json on them older than 5.0.3, and it may have security issues. I’m trying to look to see if the 1.6.1.1 update in meteor had an update for that, but have no idea where to look.

I checked .packages, versions, node_modules, and haven’t found a version for it anywhere.

Any help is greatly appreciated.

#2

Can you post the text of the email?

It’s likely referring to an individual npm dependency that has a known vulnerability

#3

bmcgonag,
We found a potential security vulnerability in a repository for which you have been granted security alert access.

@bmcgonag bmcgonag/trivia-challenge
Known moderate severity security vulnerability detected in hoek < 5.0.3 defined in package-lock.json.
package-lock.json update suggested: hoek ~> 5.0.3.
Always verify the validity and compatibility of suggestions with your codebase

That’s what they sent me.

Getting an error
#4

I had a look in your Github and saw that you’ve just got the default meteor dependencies:

"dependencies": {
    "babel-runtime": "^6.18.0",
    "bcrypt": "^1.0.3",
    "meteor-node-stubs": "~0.2.0"
}

As the email says, the vulnerability is in a package called hoek. Since it’s not in your package.json it must be a deep dependency.

The easiest way to track down which of your dependencies uses hoek is using npm ls <pkg> like so:

$ npm ls hoek
trivia@ /Users/coagmano/development/trivia-challenge
└─┬ bcrypt@1.0.3
  └─┬ node-pre-gyp@0.6.36
    └─┬ request@2.83.0
      └─┬ hawk@6.0.2
        ├─┬ boom@4.3.1
        │ └── hoek@4.2.0  deduped
        ├─┬ cryptiles@3.1.2
        │ └─┬ boom@5.2.0
        │   └── hoek@4.2.0  deduped
        ├── hoek@4.2.0
        └─┬ sntp@2.1.0
          └── hoek@4.2.0  deduped

Which shows that the vulnerable version of hoek is a deep dependency of brcypt@1.0.3

Updating bcrypt to latest (2.0.1) with:

meteor npm install bcrypt@latest

also causes it’s dependencies to update and remove the deep dependency on hoek entirely


Also note that bcrypt@1.0.3 has other insecure dependencies:

Found 3 vulnerabilities, 6 vulnerable paths
✗ Low severity vulnerability found on deep-extend@0.4.2
- desc: Prototype Pollution
- info: https://snyk.io/vuln/npm:deep-extend:20180409
- from: trivia@null > bcrypt@1.0.3 > node-pre-gyp@0.6.36 > rc@1.2.2 > deep-extend@0.4.2
Fix: None available. Consider removing this dependency.

✗ Low severity vulnerability found on hoek@4.2.0
- desc: Prototype Pollution
- info: https://snyk.io/vuln/npm:hoek:20180212
- from: trivia@null > bcrypt@1.0.3 > node-pre-gyp@0.6.36 > request@2.83.0 > hawk@6.0.2 > hoek@4.2.0
Your dependencies are out of date, otherwise you would be using a newer hoek than hoek@4.2.0.
Try deleting node_modules, reinstalling and running `snyk test` again.
If the problem persists, one of your dependencies may be bundling outdated modules.

✗ High severity vulnerability found on sshpk@1.13.1
- desc: Regular Expression Denial of Service (ReDoS)
- info: https://snyk.io/vuln/npm:sshpk:20180409
- from: trivia@null > bcrypt@1.0.3 > node-pre-gyp@0.6.36 > request@2.83.0 > http-signature@1.2.0 > sshpk@1.13.1
Your dependencies are out of date, otherwise you would be using a newer sshpk than sshpk@1.13.1.
Try deleting node_modules, reinstalling and running `snyk test` again.
If the problem persists, one of your dependencies may be bundling outdated modules.

Tested 176 dependencies for known vulnerabilities, found 3 vulnerabilities, 6 vulnerable paths.

And that even after updating bcrypt to 2.0.1, there’s still one minor vulnerability in it’s dependencies:

Testing /Users/coagmano/development/trivia-challenge...
✗ Low severity vulnerability found on deep-extend@0.4.2
- desc: Prototype Pollution
- info: https://snyk.io/vuln/npm:deep-extend:20180409
- from: trivia@null > bcrypt@2.0.1 > node-pre-gyp@0.9.1 > rc@1.2.6 > deep-extend@0.4.2
Fix: None available. Consider removing this dependency.

I don’t think there’s a way this can affect your app via bcrypt > node-pre-gyp as they shouldn’t deal with user input.

And for reference, I tested for vulnerabilites using snyk

5 Likes
#5

That is awesome! Putting that in my tool box for later use. Thanks so much!

1 Like