I had a look in your Github and saw that you’ve just got the default meteor dependencies:
"dependencies": {
"babel-runtime": "^6.18.0",
"bcrypt": "^1.0.3",
"meteor-node-stubs": "~0.2.0"
}
As the email says, the vulnerability is in a package called hoek
. Since it’s not in your package.json
it must be a deep dependency.
The easiest way to track down which of your dependencies uses hoek
is using npm ls <pkg>
like so:
$ npm ls hoek
trivia@ /Users/coagmano/development/trivia-challenge
└─┬ bcrypt@1.0.3
└─┬ node-pre-gyp@0.6.36
└─┬ request@2.83.0
└─┬ hawk@6.0.2
├─┬ boom@4.3.1
│ └── hoek@4.2.0 deduped
├─┬ cryptiles@3.1.2
│ └─┬ boom@5.2.0
│ └── hoek@4.2.0 deduped
├── hoek@4.2.0
└─┬ sntp@2.1.0
└── hoek@4.2.0 deduped
Which shows that the vulnerable version of hoek
is a deep dependency of brcypt@1.0.3
Updating bcrypt to latest (2.0.1) with:
meteor npm install bcrypt@latest
also causes it’s dependencies to update and remove the deep dependency on hoek
entirely
Also note that bcrypt@1.0.3
has other insecure dependencies:
Found 3 vulnerabilities, 6 vulnerable paths
✗ Low severity vulnerability found on deep-extend@0.4.2
- desc: Prototype Pollution
- info: https://snyk.io/vuln/npm:deep-extend:20180409
- from: trivia@null > bcrypt@1.0.3 > node-pre-gyp@0.6.36 > rc@1.2.2 > deep-extend@0.4.2
Fix: None available. Consider removing this dependency.
✗ Low severity vulnerability found on hoek@4.2.0
- desc: Prototype Pollution
- info: https://snyk.io/vuln/npm:hoek:20180212
- from: trivia@null > bcrypt@1.0.3 > node-pre-gyp@0.6.36 > request@2.83.0 > hawk@6.0.2 > hoek@4.2.0
Your dependencies are out of date, otherwise you would be using a newer hoek than hoek@4.2.0.
Try deleting node_modules, reinstalling and running `snyk test` again.
If the problem persists, one of your dependencies may be bundling outdated modules.
✗ High severity vulnerability found on sshpk@1.13.1
- desc: Regular Expression Denial of Service (ReDoS)
- info: https://snyk.io/vuln/npm:sshpk:20180409
- from: trivia@null > bcrypt@1.0.3 > node-pre-gyp@0.6.36 > request@2.83.0 > http-signature@1.2.0 > sshpk@1.13.1
Your dependencies are out of date, otherwise you would be using a newer sshpk than sshpk@1.13.1.
Try deleting node_modules, reinstalling and running `snyk test` again.
If the problem persists, one of your dependencies may be bundling outdated modules.
Tested 176 dependencies for known vulnerabilities, found 3 vulnerabilities, 6 vulnerable paths.
And that even after updating bcrypt to 2.0.1, there’s still one minor vulnerability in it’s dependencies:
Testing /Users/coagmano/development/trivia-challenge...
✗ Low severity vulnerability found on deep-extend@0.4.2
- desc: Prototype Pollution
- info: https://snyk.io/vuln/npm:deep-extend:20180409
- from: trivia@null > bcrypt@2.0.1 > node-pre-gyp@0.9.1 > rc@1.2.6 > deep-extend@0.4.2
Fix: None available. Consider removing this dependency.
I don’t think there’s a way this can affect your app via bcrypt > node-pre-gyp
as they shouldn’t deal with user input.
And for reference, I tested for vulnerabilites using snyk