Vulnerability in node-sass > sass-graph > yargs > cliui > strip-ansi > ansi-regex

[alexarsh]

• NPM version (npm -v): 6.14.15
• Node version (node -v): v14.18.0
• Node Process (node -p process.versions):

{
node: '14.18.0',
v8: '8.4.371.23-node.84',
uv: '1.42.0',
zlib: '1.2.11',
brotli: '1.0.9',
ares: '1.17.2',
modules: '83',
nghttp2: '1.42.0',
napi: '8',
llhttp: '2.1.3',
openssl: '1.1.1l',
cldr: '39.0',
icu: '69.1',
tz: '2021a',
unicode: '13.0'
}

• Node Platform (node -p process.platform): darwin
• Node architecture (node -p process.arch): x64
• node-sass version (node -p "require('node-sass').info"):

node-sass 6.0.1 (Wrapper) [JavaScript]
libsass 3.5.5 (Sass Compiler) [C/C++]

• npm node-sass versions (npm ls node-sass): node-sass@6.0.1

There is the following dependencies tree:

─┬ node-sass@6.0.1
│ └─┬ sass-graph@2.2.5
│ └─┬ yargs@13.3.2
│ ├─┬ cliui@5.0.0
│ │ ├─┬ strip-ansi@5.2.0
│ │ │ └── ansi-regex@4.1.0

When ansi-regex@4.1.0 have the following vulnerability issues:
https://snyk.io/vuln/npm:ansi-regex@4.1.0

Is there a chance that sass-graph@2.2.5 dependency can be updated in order to fix the issue?

[matt-cote]

#3044

[kiskoza]

Upgrading sass-graph to 3.0.5 won't solve the issue as it's using the same yargs version constrains. There is an open PR (xzyfer/sass-graph#115) trying to upgrade the yargs version, I just added some extra information there to help the maintainer of that package

[katannshaw]

@alexarsh I had the same issue today. After a lot of trial and error I finally noticed this error message:

npm WARN EBADENGINE Unsupported engine { package: 'node-sass@6.0.1',
npm WARN EBADENGINE   required: { node: '>=12' },
npm WARN EBADENGINE   current: { node: 'v10.22.1', npm: '7.21.1' } }

So I ran nvm install v14.18.1 to update my version of node to 14 and it fixed the issue for me. Good luck to you.

[alexarsh]

@katannshaw Hi. Tried updating to v14, but still have the same version dependency

[PrinsFrank]

Looks like xzyfer/sass-graph is abandoned, the last release is almost 1,5 years ago, and the PR to fix this vulnerability has been open for 15 days now. As node-sass is deprecated we took the time to move to dart-sass. I suggest everyone else that runs into this issue to do the same.

[driskell]

For many projects dart-sass is substantially slower so is not a viable solution in a lot of cases. In some of our foundation-sites projects the incremental compilation moves from 5 seconds to approximately 5 minutes or longer. There is a new dart VM hosted compilation module in the works but its still very much experimental and no webpack integration yet.

Possibly the best approach is to absorb sass-graph module into node-sass in its current state and then update the dependencies in node-sass accordingly? Would allow node-sass to remain in maintenance mode successfully for a while until the other options mentioned above are available.

[fmaddenflx]

Any updates on this? Has any work been done to absorb sass-graph into node-sass as suggested in the previous post?

[kiskoza]

I opened #3202 to absorb sass-graph as suggested, but the maintainers haven't responded anything yet. not sure what else I can do...

[EchoZhaoH]

sass-graph does not seem to be maintained, is there any update to node-sass?

[xzyfer]

sass-graph@4.0.0 has been released with a patch for this.

[xzyfer]

Fixed in 7.0.1.