Boom is a popular Node.js package designed to streamline HTTP error handling, providing a convenient way to generate user-friendly and informative error responses. Versions 2.6.0 and 2.6.1 are relatively close, but offer key distinctions worth noting for developers relying on Boom.
Version 2.6.1, released on November 25, 2014, builds upon the foundation of 2.6.0 (released a month earlier on October 22nd, 2014) with a focus on refinements. Both versions share the core functionality of creating HTTP-compatible error objects, making it easier to manage and standardize error responses within your application. They both rely on hoek version 2.x.x for utility functions.
The primary difference lies in the devDependencies. Version 2.6.0 used lab version 4.x.x for testing, while version 2.6.1 upgrades this to lab version 5.x.x and introduced code version 1.x.x. This suggests improvements or updates to the testing suite, potentially including new test cases or enhanced testing methodologies.
For developers, this means that while the core error generation and handling features remain consistent, version 2.6.1 benefits from updated testing tools, potentially making it a more robust and reliable choice. Unless specific compatibility issues exist with the updated testing dependencies, upgrading to 2.6.1 is likely a safe and beneficial move. Both versions provide a developer-friendly way to return standard HTTP error codes with custom messages and details, improving the clarity and consistency of your API responses.
All the vulnerabilities related to the version 2.6.1 of the package
Prototype Pollution in hoek
Versions of hoek prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.
The merge function, and the applyToDefaults and applyToDefaultsWithShallow functions which leverage merge behind the scenes, are vulnerable to a prototype pollution attack when provided an unvalidated payload created from a JSON string containing the __proto__ property.
This can be demonstrated like so:
var Hoek = require('hoek');
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';
var a = {};
console.log("Before : " + a.oops);
Hoek.merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);
This type of attack can be used to overwrite existing properties causing a potential denial of service.
Update to version 4.2.1, 5.0.3 or later.
hoek subject to prototype pollution via the clone function.
hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the proto key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1.