Boom is a popular Node.js library designed to simplify and standardize the creation of HTTP-friendly error responses. These responses are particularly useful in building robust and well-behaved APIs. Comparing versions 2.7.1 and 2.7.0, the core functionality remains consistent, focusing on generating error objects with appropriate HTTP status codes, headers, and error messages. Both versions depend on the "hoek" utility library (version 2.x.x) and utilize "code" and "lab" for development-related tasks like testing. The repository information indicates the library is maintained under the hapijs GitHub organization, a group known for its high-quality Node.js modules.
The key difference developer should notice between versions 2.7.0 and 2.7.1 lies primarily in the bug fixes and internal improvements. While the APIs and core functionalities likely haven't changed, the later versions usually includes fixes of minor bugs. For developers, adopting the latest patch release is often recommended, despite the absence of specific changelogs, to benefit from the most stable and reliable experience. They can update versions through the command "npm install boom@latest". Boom simplifies HTTP error handling by providing a set of pre-defined error objects, thus it reduces boilerplate code and improves consistency across their applications. Boom helps maintain clean and informative error reporting in api developments.
All the vulnerabilities related to the version 2.7.1 of the package
Prototype Pollution in hoek
Versions of hoek prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.
The merge function, and the applyToDefaults and applyToDefaultsWithShallow functions which leverage merge behind the scenes, are vulnerable to a prototype pollution attack when provided an unvalidated payload created from a JSON string containing the __proto__ property.
This can be demonstrated like so:
var Hoek = require('hoek');
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';
var a = {};
console.log("Before : " + a.oops);
Hoek.merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);
This type of attack can be used to overwrite existing properties causing a potential denial of service.
Update to version 4.2.1, 5.0.3 or later.
hoek subject to prototype pollution via the clone function.
hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the proto key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1.