Version Details and Security Vulnerabilities

📦

hoek

4.0.2

Comparision Betweeen 4.0.2 and 4.0.1

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 4.0.2 Details

Hoek is a general-purpose Node.js utility library designed for developers seeking robust and efficient tools for common programming tasks. Comparing versions 4.0.1 and 4.0.2, the core functionalities and dependencies remain consistent, indicating a focused maintenance approach. Both versions offer the same set of utilities without introducing or removing dependencies, ensuring predictability for projects already relying on Hoek. The key difference lies in the release date, with version 4.0.2 being published on July 27, 2016, subsequent to version 4.0.1's release on June 1, 2016.

While the specific changes between these minor versions aren't explicitly detailed in the provided data, such updates often involve bug fixes, performance enhancements, or minor adjustments to existing functionalities. Developers should consult the official Hoek release notes or changelog for a comprehensive understanding of the alterations. For developers already using Hoek, upgrading from 4.0.1 to 4.0.2 should be a seamless process, with a significant probability that the primary motivation would resolve identified issues. The 'code' and 'lab' dependencies in the devDependencies section hints that Hoek is consistently tested to ensure code quality. Furthermore, the BSD-3-Clause license gives a wide range of re-use options.

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

hoek

4.0.2

Comparision Betweeen 4.0.2 and 4.0.1

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 4.0.2 Details

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 4.0.2 of the package hoek.

All Security Vulnerabilities

All the vulnerabilities related to the version 4.0.2 of the package

Summary:

hoek subject to prototype pollution via the clone function.

Details:

hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the proto key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1.

Details about hoek@4.0.2

Summary:

Prototype Pollution in hoek

Details:

Versions of hoek prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.

The merge function, and the applyToDefaults and applyToDefaultsWithShallow functions which leverage merge behind the scenes, are vulnerable to a prototype pollution attack when provided an unvalidated payload created from a JSON string containing the __proto__ property.

This can be demonstrated like so:

var Hoek = require('hoek');
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';

var a = {};
console.log("Before : " + a.oops);
Hoek.merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);

This type of attack can be used to overwrite existing properties causing a potential denial of service.

Recommendation

Update to version 4.2.1, 5.0.3 or later.

Details about hoek@4.0.2

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 4.0.2 of the package hoek.

All Security Vulnerabilities

All the vulnerabilities related to the version 4.0.2 of the package

Summary:

hoek subject to prototype pollution via the clone function.

Details:

Details about hoek@4.0.2

Summary:

Prototype Pollution in hoek

Details:

Versions of hoek prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.

This can be demonstrated like so:

var Hoek = require('hoek');
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';

var a = {};
console.log("Before : " + a.oops);
Hoek.merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);

This type of attack can be used to overwrite existing properties causing a potential denial of service.

Recommendation

Update to version 4.2.1, 5.0.3 or later.

Details about hoek@4.0.2

Version Details and Security Vulnerabilities

hoek

Comparision Betweeen 4.0.2 and 4.0.1

Version 4.0.2 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

hoek

Comparision Betweeen 4.0.2 and 4.0.1

Version 4.0.2 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Recommendation

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Recommendation

Version Details and Security Vulnerabilities

hoek

Comparision Betweeen 4.0.2 and 4.0.1

Version 4.0.2 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

hoek

Comparision Betweeen 4.0.2 and 4.0.1

Version 4.0.2 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

hoek@4.0.2 GHSA-c429-5p7v-vgjp 8.1

hoek@4.0.2 GHSA-jp4x-w63m-7wgm 8.8

Recommendation

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

hoek@4.0.2 GHSA-c429-5p7v-vgjp 8.1

hoek@4.0.2 GHSA-jp4x-w63m-7wgm 8.8

Recommendation