Update Node SASS

[youknowriad]

I was having 404 errors when running npm install.

Testing instructions

• npm install && npm run dev
• Check that Gutenberg is loading properly

[youknowriad]

Oops that's a big diff in package-lock. Checking again.

Edit: It looks legit.

[ntwb]

Oops that's a big diff in package-lock. Checking again.

I had a similar issue yesterday, for some reason a bunch of "dev": true fields are being added, which I think is correct per the docs:

dev
"If true then this dependency is either a development dependency ONLY of the top level module or a transitive dependency of one. This is false for dependencies that are both a development dependency of the top level and a transitive dependency of a non-development dependency of the top level."

[ntwb]

The reason we are using a pinned version of node-sass is in #6772

node-sass changes from v4.7.2 to v4.7.0, this is due to node-sass > v4.7.1 locking down the request library to ~2.79.0 which includes a vulnerable hoek package, see https://nodesecurity.io/advisories/566. It also uses the v4.7.0 release from GitHub rather than npmjs.com because v4.7.0 is not published to npmjs.com. This issue will not be resolved by node-sass until v5.0.0 is released in a few weeks time when as part of that release Node.js v4 support will be dropped.

Unfortuately node-sass v5 is still unreleased sass/node-sass#2312

[ntwb]

@youknowriad can you try running npm rebuild node-sass using the existing v4.7.0 please?

[youknowriad]

I'm fine with keeping the current version but I still get 404 when trying to run npm install

[ntwb]

Does it display the filename of the 404 during this?

[youknowriad]

https://github.com/sass/node-sass/releases/download/v4.7.0/darwin-x64-64_binding.node

[ntwb]

Right, yes, unfortunately, darwin-x64-64_binding.node is not listed at: https://github.com/sass/node-sass/releases/tag/v4.7.0

Just to confirm what node.js and npm version are you using @youknowriad ?

[youknowriad]

Actually, this is not really needed. I'm closing, after further investigation, it looks like the dependency binaries are built after the failing 404 but in a special setup (trying to build a docker image) the build also fails so it's probably a specific failure.

[ntwb]

Thanks @youknowriad

p.s. @pento Gutenberg is not compatible with Node.js v10.x by way of node-sass incompatibilities with the 4.7.0 release we are currently pinned to.

We pinned to 4.7.0 to get npm audit to pass

The node-sass v4.9.0 release supports Node.js v10 but breaks npm audit

[pento]

@ntwb: Apparently node-sass 4.9.1 fixes the npm audit noise. Let's upgrade it, then we can hopefully upgrade Node to v10.