Hoek is a Node.js utility library providing a suite of general-purpose tools for developers. Comparing versions 2.16.3 and 2.16.2 reveals minimal changes from a functional perspective. Both versions share identical descriptions as "General purpose node utilities," have no direct dependencies, and list code and lab as development dependencies, utilizing version 1.x.x and 5.x.x respectively for testing. The license remains consistent as BSD-3-Clause across both versions, and the repository URL points to the same GitHub repository.
The primary difference lies in their release dates and consequently, the downloaded tarball. Version 2.16.3 was released on September 21, 2015, while version 2.16.2 was released five days earlier on September 16, 2015. This suggests that version 2.16.3 likely includes bug fixes or minor improvements made after the 2.16.2 release. Developers should always prefer the latest stable version, in this case 2.16.3, to benefit from these potential enhancements. The dist field specifies the tarball URL, enabling direct download. While the description is brief, Hoek is known for providing utilities often needed in other javascript libraries like cloning objects, deep object comparison, and other helpful functions with no dependencies. For developers needing robust and reliable utility functions, checking the exact changes between versions on the related Github repository would validate the features and fixes.
All the vulnerabilities related to the version 2.16.3 of the package
Prototype Pollution in hoek
Versions of hoek prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.
The merge function, and the applyToDefaults and applyToDefaultsWithShallow functions which leverage merge behind the scenes, are vulnerable to a prototype pollution attack when provided an unvalidated payload created from a JSON string containing the __proto__ property.
This can be demonstrated like so:
var Hoek = require('hoek');
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';
var a = {};
console.log("Before : " + a.oops);
Hoek.merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);
This type of attack can be used to overwrite existing properties causing a potential denial of service.
Update to version 4.2.1, 5.0.3 or later.
hoek subject to prototype pollution via the clone function.
hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the proto key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1.