I'm getting the following moderate vulnerabilities when I try to install gulp-sass and node-sass to my local git project. I've already installed gulp version 4.0.
I have installed the latest version of hoek, 5.0.3 and tried to install gulp-sass and node-sass after installing the packages but it is still showing the vulnerabilites. How can I manually fix this? Is there a way to fix the files?
Vulnerabilities:
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of gulp-sass
Path gulp-sass > node-sass > node-gyp > request > hawk > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of gulp-sass
Path gulp-sass > node-sass > node-gyp > request > hawk > cryptiles > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of gulp-sass
Path gulp-sass > node-sass > node-gyp > request > hawk > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of gulp-sass
Path gulp-sass > node-sass > node-gyp > request > hawk > sntp > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of node-sass
Path node-sass > node-gyp > request > hawk > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of node-sass
Path node-sass > node-gyp > request > hawk > cryptiles > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of node-sass
Path node-sass > node-gyp > request > hawk > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of node-sass
Path node-sass > node-gyp > request > hawk > sntp > hoek
More info https://nodesecurity.io/advisories/566
Thanks in advance!
Basically, your project contains dependencies which are in-turn dependent on the vulnerable version of hoek package. After searching through several issues in github such as
And finally, found that the issue will only be fixed in the v5 release of node-sass https://github.com/sass/node-sass/issues/2111. So you need to wait for the latest release of node-sass with the fix after which gulp-sass should also be updated to use the v5 of node-sass to fully fix the issue.
There are plenty of projects like this that are suffering prototype pollution because they are unable to upgrade the vulnerable versions of affected packages such as hoek.
I created no-pollution library for the people who are exactly facing this issue. You can install it and include require('no-pollution') in the entry point of your project to prevent any prototype pollution attacks from happening even if you have a vulnerable package installed.