Vulnerability in dependency

[damiarita]

Hi,

Recently, the vulnerability https://nodesecurity.io/advisories/803 appeared

I use webpack encore and enableSassLoader() this forces me to add node-sass which as this dependency chain: node-sass > node-gyp > tar

This is my yarn edit result
$ yarn audit
yarn audit v1.13.0

│ high │ Arbitrary File Overwrite │

│ Package │ tar │

│ Patched in │ >=4.4.2 │

│ Dependency of │ node-sass │

│ Path │ node-sass > node-gyp > tar │

│ More info │ https://nodesecurity.io/advisories/803 │

1 vulnerabilities found - Packages audited: 12330
Severity: 1 High
Done in 2.21s.

This is my result of yarn why tar
$ yarn why tar
yarn why v1.13.0
[1/4] Why do we have the module "tar"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "tar@2.2.1"
info Reasons this module exists

• "node-sass#node-gyp" depends on it
• Hoisted from "node-sass#node-gyp#tar"
  => Found "node-pre-gyp#tar@4.4.8"
  info This module exists because "@symfony#webpack-encore#webpack-dev-server#chokidar#fsevents#node-pre-gyp" depends on it.
  Done in 1.41s.

Is it possible to have sass-loader use a more modern tar version?

[Lyrkan]

Hi @damiarita,

Not much we can do on our side... and no "proper" solution is available yet.

The following PR could solve the issue if merged/released: nodejs/node-gyp#1718
I suggest you to read the following thread for workarounds in the meantime: sass/node-sass#2625

Another solution could be to use Dart Sass instead of Node Sass (since the sass-loader allows you to switch quite easily):

# Remove node-sass and replace it by sass
$ yarn remove node-sass
$ yarn add --dev sass

// webpack.config.js
const Encore = require('@symfony/webpack-encore');

Encore.enableSassLoader(options => {
  // The following line won't be needed anymore when
  // the next version of sass-loader is released
  options.implementation = require('sass');
});

[damiarita]

Hi,

I followed the steps. But I get the same issue as in #422

This is the error:
Error: Install node-sass to use enableSassLoader()
yarn add node-sass --dev

I have tried both require('sass'); and require('dart-sass');

[Lyrkan]

@damiarita You may be using an old version of Encore, support for Dart Sass was added in 0.24.0.

[geoff-maddock]

@damiarita did you get a resolution here? I tried using sass as described here, even with webpack-encore 0.27.0, but it still says Error: Install node-sass to use enableSassLoader()

[Kocal]

I think the best option is to drop node-sass for sass:

Encore.enableSassLoader(options => {
    options.implementation = require('sass');
})

[geoff-maddock]

Odd, I still get the error even after changing it. Seems like it's a dependency of encore still

[Lyrkan]

@geoff-maddock Could you share a repro?

I just tested it and it seems to work fine for a minimal setup:

// webpack.config.js
const Encore = require('@symfony/webpack-encore');

Encore
    .disableSingleRuntimeChunk()
    .setOutputPath('build')
    .setPublicPath('/build')
    .enableSassLoader(options => {
        options.implementation = require('sass');
    })
    .addEntry('scss', './style.scss')
;

module.exports = Encore.getWebpackConfig();

$ yarn add @symfony/webpack-encore sass-loader sass
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved 563 new dependencies.
info Direct dependencies
├─ @symfony/webpack-encore@0.27.0
├─ sass-loader@7.1.0
└─ sass@1.21.0

$ yarn encore production
yarn run v1.13.0

 DONE  Compiled successfully in 823ms

 I  2 files written to build
Entrypoint scss = scss.css scss.js

$ yarn audit
yarn audit v1.13.0
0 vulnerabilities found - Packages audited: 13442

Also there isn't any vulnerability issue anymore with node-sass either:

$ yarn remove sass
yarn remove v1.13.0
[1/2] Removing module sass...
[2/2] Regenerating lockfile and installing missing dependencies...
success Uninstalled packages.

$ yarn add node-sass
yarn add v1.13.0
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved 72 new dependencies.
info Direct dependencies
└─ node-sass@4.12.0

$ yarn audit
yarn audit v1.13.0
0 vulnerabilities found - Packages audited: 11854