Skip to content
This repository has been archived by the owner on Jul 24, 2024. It is now read-only.

sass-graph should be updated to version 3 #2863

Closed
stof opened this issue Mar 17, 2020 · 9 comments
Closed

sass-graph should be updated to version 3 #2863

stof opened this issue Mar 17, 2020 · 9 comments

Comments

@stof
Copy link

stof commented Mar 17, 2020

node-sass currently depends on sass-graph 2.2.4. This version depends on a version of yargs which gets reported as a security vulnerability by Snyk.
It would be great to update to the maintained version of sass-graph rather than using this old version.

@xzyfer
Copy link
Contributor

xzyfer commented Mar 17, 2020 via email

@stof
Copy link
Author

stof commented Mar 17, 2020

is there any estimate for when v5 will be ready ? It seems to be in progress since at least 2 years.

@raparlasiva
Copy link

We have a similar issue on our veracode scan. It would really help us if you can provide an estimate on when v5 is in teh pipeline

@xzyfer
Copy link
Contributor

xzyfer commented Mar 17, 2020

If this is really an issue for your CI environment I recommend opening a PR against the sass-graph v2 branch (https://github.com/xzyfer/sass-graph/tree/v2) to bump the vulnerable dependencies.

@stof
Copy link
Author

stof commented Mar 18, 2020

hmm, due to node-sass needing to support old node.js versions in its v4 version, upgrading yargs in sass-graph v2 won't work. Yargs 8 requires Node 4+ and yargs 12 requires Node 6+, while getting a version in which the vulnerability is patched requires upgrading at least to yargs 13.
So we won't be able to get the fix until node-sass v5.

@henry-chris
Copy link

Just making sure I understand what @stof is getting at. Since the same security vulnerability is being reported by a bunch of different scans.

These vulnerabilities do not exist in the files/code generated by node-sass right? For instance, the CSS which is output from the pre-processing? I can't see how it would.

It should only be a security hole if you are actively running this package somewhere, right?

I guess running build steps in the cloud is where it could happen?

@stof
Copy link
Author

stof commented Apr 7, 2020

@henry-chris yes. The security issue is in the CLI runner. If that CLI runner is not deployed to your servers but kept as a dev requirement used in your build process, your prod servers will be fine.

@nschonni
Copy link
Contributor

nschonni commented May 4, 2020

Separate from the v3 upgrade, but #2915 will have a patch for yargs only

@xzyfer
Copy link
Contributor

xzyfer commented May 4, 2020

Fixed in v4.14.1

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants