Resolve JS security vulnerability in dependency #307

brlodi · 2018-05-14T19:35:35Z

The current version of node-sass depends on request 2.79.0, which in turn depends on a package with a known security vulnerability. More recent versions of request have resolved this, but have not yet been upgraded in node-sass.

This is tracked in sass/node-sass#2355 and will be resolved in the next server update of node-sass. We should upgrade our node-sass dependency in package.json at that time.

The text was updated successfully, but these errors were encountered:

vforgione · 2018-06-26T22:12:25Z

Just want to revisit this. Did these imbeciles ever get their shit together?

brlodi · 2018-06-26T22:23:29Z

You'll note the blocking issue is still open. And this affects several packages we depend on, including Bootstrap itself, beyond our direct use of Sass. They know it's an issue, since every GitHub project depending on node-sass, directly or indirectly (e.g. through Angular), has the same lovely yellow box.

brlodi · 2018-06-27T21:46:33Z

For completeness, sass/node-sass#2312 and subsequent release is what we, and most of the rest of the JavaScript ecosystem, are waiting on.

brlodi added bug labels May 14, 2018

brlodi self-assigned this May 14, 2018

brlodi mentioned this issue Jul 16, 2018

Bump min node-sass version to avoid vulnerability #355

Merged

HeyZoos closed this as completed in #355 Jul 16, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Resolve JS security vulnerability in dependency #307

Resolve JS security vulnerability in dependency #307

brlodi commented May 14, 2018

vforgione commented Jun 26, 2018

brlodi commented Jun 26, 2018

brlodi commented Jun 27, 2018

Resolve JS security vulnerability in dependency #307

Resolve JS security vulnerability in dependency #307

Comments

brlodi commented May 14, 2018

vforgione commented Jun 26, 2018

brlodi commented Jun 26, 2018

brlodi commented Jun 27, 2018