🚨 [security] Upgrade node-sass: 4.14.1 → 7.0.1 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ node-sass (4.14.1 → 7.0.1) · Repo · Changelog

Security Advisories 🚨

🚨 Improper Certificate Validation in node-sass

Certificate validation in node-sass 2.0.0 to 6.0.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.

Release Notes

7.0.1

Dependencies

• Bump node-gyp from 7.1.2 to 8.4.1
• Bump sass-graph from 2.2.5 to 4.0.0

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	12, 14, 16, 17
OSX	x64	12, 14, 16, 17
Linux*	x64	12, 14, 16, 17
Alpine Linux	x64	12, 14, 16, 17
FreeBSD	i386 amd64	12, 14

*Linux support refers to major distributions like Ubuntu, and Debian

7.0.0

Breaking changes

• Drop support for Node 15 (@nschonni)
• Set rejectUnauthorized to true by default (@scott-ut, #3149)

Features

• Add support for Node 17 (@nschonni)

Dependencies

• Bump eslint from 7.32.0 to 8.0.0 (@nschonni, #3191)
• Bump fs-extra from 0.30.0 to 10.0.0 (@nschonni, #3102)
• Bump npmlog from 4.1.2 to 5.0.0 (@nschonni, #3156)
• Bump chalk from 1.1.3 to 4.1.2 (@nschonni, #3161)

Community

• Remove double word "support" from documentation (@pzrq, #3159)

Misc

• Bump various GitHub Actions dependencies (@nschonni)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	12, 14, 16, 17
OSX	x64	12, 14, 16, 17
Linux*	x64	12, 14, 16, 17
Alpine Linux	x64	12, 14, 16, 17
FreeBSD	i386 amd64	12, 14

*Linux support refers to major distributions like Ubuntu, and Debian

6.0.1

Dependencies

• Remove mkdirp (@jimmywarting, #3108)
• Bump meow to 9.0.0 (@ykolbin, #3125)
• Bump mocha to 9.0.1 (@xzyfer, #3134)

Misc

• Use default Apline version from docker-node (@nschonni, #3121)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	12, 14, 15, 16
OSX	x64	12, 14, 15, 16
Linux*	x64	12, 14, 15, 16
Alpine Linux	x64	12, 14, 15, 16
FreeBSD	i386 amd64	12, 14, 15

*Linux support refers to major distributions like Ubuntu, and Debian

6.0.0

Breaking changes

• Drop support for Node 10 (@nschonni)
• Remove deprecated process.sass API (@xzyfer, #2986)

Features

• Add support for Node 16

Community

• Fix typos in Troubleshooting guide (@independencyinjection, #3051)
• Improve dependabot configuration (@nschonni)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	12, 14, 15, 16
OSX	x64	12, 14, 15, 16
Linux*	x64	12, 14, 15, 16
Alpine Linux	x64	12, 14, 15, 16
FreeBSD	i386 amd64	12, 14, 15

*Linux support refers to major distributions like Ubuntu, and Debian

5.0.0

Breaking changes

• Only support LTS and current Node versions (@nschonni)
• Remove deprecated process.sass API (@xzyfer, #2986)

Features

• Add support for Node 15
• New node-gyp version that supports building with Python 3

Community

• More inclusive documentation (@rgeerts, #2944)
• Enabled dependabot (@nschonni)
• Improve release automation (@nschonni)

Fixes

• Bumped many dependencies (@nschonni)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	10, 12, 14, 15
OSX	x64	10, 12, 14, 15
Linux*	x64	10, 12, 14, 15
Alpine Linux	x64	10, 12, 14, 15
FreeBSD	i386 amd64	10, 12, 13

*Linux support refers to major distributions like Ubuntu, and Debian

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 74 commits:

• 7.0.1
• build(deps): bump sass-graph from 2.2.5 to 4.0.0 (#3224)
• build(deps): bump node-gyp from 7.1.2 to 8.4.1 (#3209)
• Lint fix
• Set rejectUnauthorized to true by default (#3149)
• chore: Drop EOL Node 15 (#3122)
• feat: Add Node 17 support (#3195)
• build(deps-dev): bump eslint from 7.32.0 to 8.0.0
• build(deps): bump actions/setup-node from 2.4.0 to 2.4.1
• chore: Windows x86 on GitHub Actions (#3041)
• build(deps-dev): bump fs-extra from 0.30.0 to 10.0.0 (#3102)
• build(deps): bump npmlog from 4.1.2 to 5.0.0 (#3156)
• build(deps): bump chalk from 1.1.3 to 4.1.2 (#3161)
• build(deps): bump actions/setup-node from 2.3.0 to 2.4.0
• docs: Double word "support" (#3159)
• build(deps): bump actions/setup-node from 2.1.5 to 2.3.0
• build(deps): bump coverallsapp/github-action from 1.1.2 to 1.1.3
• 6.0.1
• remove mkdirp dep (#3108)
• build(deps): bump meow from 3.7.0 to 9.0.0
• build(deps-dev): bump mocha from 8.4.0 to 9.0.1
• chore: Use default Apline version from docker-node (#3121)
• chore: Drop Node 10 support
• fix: Bump OSX minimum to 10.11
• fix: Remove old compiler gyp settings
• chore: Add Node 16 support
• build(deps): bump actions/setup-node from v2.1.4 to v2.1.5
• Update TROUBLESHOOTING.md
• build(deps): bump actions/setup-node from v2.1.3 to v2.1.4
• build(deps): bump actions/setup-node from v2.1.2 to v2.1.3
• chore: Bump dependabot limit
• 5.0.0 (#3015)
• chore: Add Node 15 support (#2983)
• Add a deprecation message to the readme (#3011)
• chore: Don't upload artifacts on PRs
• chore: Only run coverage on main repo
• build(deps): update actions/setup-node requirement to v2.1.2
• build(deps-dev): bump rimraf from 2.7.1 to 3.0.2
• chore: Don't double build DependaBot PRs
• chore: Add weekly DependaBot updates
• Remove deprecated process.sass API
• Replace lodash/assign in favor of the native Object.assign
• Remove workarounds for old Node.js versions
• chore: Remove second NPM badge
• chore: Remove Slack badge
• chore: Cleanup status badges
• chore: Bump minimum engine version to v10
• chore: Add basic Node version support policy
• chore: Bump node-gyp to 7.1.0
• chore: Bump cross-spawn to v7.0.3
• chore: Update Istanbul to NYC
• chore: Bump mocha to v8.1.3
• chore: Skip constructor tests on v14.6+
• chore: Hoist test ESLint config
• chore: Remove disabled and recommended rules
• fix: Bump ESLint to 7.10 and fix new issues
• chore: Use strict assert
• chore: Drop object-merge used by old sass-spec
• fix: Read fixture as utf-8
• fix: assert.deepEqual to strictDeepEqual
• typo: corectly -> correctly
• fix: Depreciate Assert equal to strictEqual
• Fix tests that have always been broke
• chore: Add GitHub Coveralls
• chore: Drop sass-spec testing
• chore: Use action/upload-artifact@v2 for Alpine
• chore: Move macOS to GitHub Actions
• chore: Move Linux testing to GitHub Actions
• chore: Move Coverage to GitHub Actions
• chore: Move Linting to GitHub Actions
• chore: Move Windows x64 to GitHub Actions
• chore: Remove CI for unsupported Node versions
• improved language to be more sensitive to less privileged populations (#2944)
• fix: Flatten sourceMap folder detection

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)