Skip to content
This repository has been archived by the owner on Jul 20, 2023. It is now read-only.

Upgrade node-sass to fix tar vulnerability #85

Closed
gtmills opened this issue May 3, 2019 · 1 comment
Closed

Upgrade node-sass to fix tar vulnerability #85

gtmills opened this issue May 3, 2019 · 1 comment
Assignees
@gtmills

Comments

@gtmills
Copy link
Member

gtmills commented May 3, 2019
edited
Loading

Need to update node-sass when they publish a new release.
sass/node-sass#2625
Please read issue for more detail, but it is not a simple fix on their end.
@gtmills gtmills self-assigned this May 3, 2019
@gtmills
Copy link
Member Author

gtmills commented May 3, 2019

See https://nvd.nist.gov/vuln/detail/CVE-2018-20834

geissonator pushed a commit that referenced this issue May 7, 2019
@gtmills
NPM update to partially address vulnerability
1548677 
Observed this security vulnerability in the phosphor-webui
repo on GitHub:
"We found a potential security vulnerability in one of your
dependencies.
 tar
 Upgrade tar to version 4.4.2 or later."

See https://nvd.nist.gov/vuln/detail/CVE-2018-20834
for more information.
Ran "NPM update" && "npm install tar@latest --save".

Unfortunately, this only addresses one of the packages
that uses tar, the other, node-sass, has not published a
release to fix this vulnerability.
See sass/node-sass#2625
Not a easy fix for node-sass.

Opened
#85
to track this work.

Tested: Built the GUI and loaded it on a Witherspoon. No
        regressions observed.

Change-Id: I9e06d77a03dff4a3d12f472fd18671cc8c41fcd4
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@gtmills gtmills

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gtmills