security fix for 6.x versions

[long76]

please made fix for 6.x versions not only 7.1.1+
https://www.npmjs.com/advisories/1488

[CiprianDraghici]

If we upgrade the version, the vulnerabilities are fixed but this issue appear.

[marijnh]

If we upgrade the version, the vulnerabilities are fixed but this issue appear.

A small clip from a screenshot is not a bug report. Please file a proper issue with an actual description of the input that triggers the problem.

[marijnh]

Released 6.4.1 with this fix. I hope the npm version range checker is smart enough to see that that one isn't affected.

[fabb]

@marijnh 6.4.1 shows up as affected: https://www.npmjs.com/advisories/1488/versions

[CiprianDraghici]

@marijnh The fix you provided for version 6.4.1 is just a change of changelog, not a real fix. Did you forgot to add the changes in commit?

[fabb]

ok, 6.4.1 is now has been whitelisted in npm: https://www.npmjs.com/advisories/1488/versions

[marijnh]

@marijnh The fix you provided for version 6.4.1 is just a change of changelog, not a real fix. Did you forgot to add the changes in commit?

No, it's not. That's the only effect on the master branch, since that tracks the latest version.

[G-Rath]

@marijnh what are the chances of getting this backported for 5.5.0?

While I'd prefer people to upgrade rather expecting backports for every version, the last version of sass-lint (which was deprecated 2 years ago) indirectly uses acorn@5 by way of an old version of eslint -> espree.

It's not possible for sass-lint to fix this since it requires a major update of eslint which it uses to do it's linting, so getting a patched version of 5.5.0 would save us having to run around pulling sass-lint out of everything asap.

[marijnh]

@G-Rath Do you specifically mean 5.5.0? The last 5.x version was 5.7.3, so if I'm going to release a new 5.x, it seems 5.7.4 would be reasonable.

Also, I don't know how to get a new version whitelisted in the npm vulnerability database, but maybe @fabb can help there.

[G-Rath]

Good question - looking over the dependencies, this is the version of espree that is being used, which is where the acorn dep comes from:

    "espree": {
      "version": "3.5.4",
      "resolved": "https://registry.npmjs.org/espree/-/espree-3.5.4.tgz",
      "integrity": "sha512-yAcIQxtmMiB/jL32dzEp2enBeidsB7xWPLNiw3IIkpVds1P+h7qF9YwJq1yUNzp2OKXgAprs4F61ih66UsoD1A==",
      "dev": true,
      "requires": {
        "acorn": "^5.5.0",
        "acorn-jsx": "^3.0.0"
      }
    },

which was happily using 5.7.3 according to the lock, so yes releasing 5.7.4 would do the trick.

I believe getting it whitelisted is done by just contacting npm support, and providing some information (how detailed that info is however I don't know) - @fabb if you could work your magic again for us for that version once/if it's released, that would be amazing.

[marijnh]

There's now a 5.7.4. I've sent an email to npm support, I don't know how long it'll take them to act on it.

[fabb]

Yesterday my request to whitelist 6.4.1 sent to security@npmjs.com was answered after 1.5h.