-
Notifications
You must be signed in to change notification settings - Fork 917
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-25758 (High) detected in scss-tokenizer-0.2.3.tgz - autoclosed #1842
Comments
|
https://github.com/opensearch-project/OpenSearch-Dashboards/security/dependabot/62 This PR fixes the Regular expression denial of service in scss-tokenizer, use dart-sass instead of node-sass. The node-sass are deprecated, the detail here. https://www.npmjs.com/package/node-sass The suggested solution (#535) is that use dart-sass instead of node-sass * use dart-sass instead of node-sass * Update basic_optimization.test snapshot * use compressed as outputsytle and fixes yarn.lock * minimize yarn.lock changes Issues Resolved: #1842 #535 Signed-off-by: Tao liu <liutaoaz@amazon.com>
|
Possible solutions:
|
This is because sass-loader 10.2.1 doesn't support node-sass v7. Could try to bump it 10.4.1: |
Bump node-sass to 7.0.3 and sass-loader to 10.4.1 Issue Resolved: opensearch-project#1067 opensearch-project#1842 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
…der to 10.4.1 in 2.x Bump node-sass to 7.0.3 and sass-loader to 10.4.1 Issue Resolved: opensearch-project#1067 opensearch-project#1842 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
…der to 10.4.1 in 2.x Bump node-sass to 7.0.3 and sass-loader to 10.4.1 Issue Resolved: opensearch-project#1067 opensearch-project#1842 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
…der to 10.4.1 in 2.x Bump node-sass to 7.0.3 and sass-loader to 10.4.1 Issue Resolved: opensearch-project#1067 opensearch-project#1842 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
…der to 10.4.1 in 2.x Bump node-sass to 7.0.3 and sass-loader to 10.4.1 Issue Resolved: opensearch-project#1067 opensearch-project#1842 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
Issue Resolve opensearch-project#1842 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Issue Resolve opensearch-project#1842 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Issue Resolve opensearch-project#1842 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Issue Resolve opensearch-project#1842 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Issue Resolve #1842 Signed-off-by: Anan Zhuang <ananzh@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com>
…3789) Issue Resolve #1842 Signed-off-by: Anan Zhuang <ananzh@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit 5d4fdd2) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
CVE-2022-25758 - High Severity Vulnerability
Vulnerable Library - scss-tokenizer-0.2.3.tgz
A tokenzier for Sass' SCSS syntax
Library home page: https://registry.npmjs.org/scss-tokenizer/-/scss-tokenizer-0.2.3.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.
Publish Date: 2022-07-01
URL: CVE-2022-25758
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-25758
Release Date: 2022-07-01
Fix Resolution: no_fix
The text was updated successfully, but these errors were encountered: