Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in dependency #563

Closed
damiarita opened this issue Apr 13, 2019 · 7 comments
Closed

Vulnerability in dependency #563

damiarita opened this issue Apr 13, 2019 · 7 comments

Comments

@damiarita
Copy link

damiarita commented Apr 13, 2019
edited
Loading

Hi,

Recently, the vulnerability https://nodesecurity.io/advisories/803 appeared

I use webpack encore and enableSassLoader() this forces me to add node-sass which as this dependency chain: node-sass > node-gyp > tar

This is my yarn edit result
$ yarn audit
yarn audit v1.13.0

│ high │ Arbitrary File Overwrite │

│ Package │ tar │

│ Patched in │ >=4.4.2 │

│ Dependency of │ node-sass │

│ Path │ node-sass > node-gyp > tar │

│ More info │ https://nodesecurity.io/advisories/803

1 vulnerabilities found - Packages audited: 12330
Severity: 1 High
Done in 2.21s.

This is my result of yarn why tar
$ yarn why tar
yarn why v1.13.0
[1/4] Why do we have the module "tar"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "tar@2.2.1"
info Reasons this module exists

  • "node-sass#node-gyp" depends on it
  • Hoisted from "node-sass#node-gyp#tar"
    => Found "node-pre-gyp#tar@4.4.8"
    info This module exists because "@symfony#webpack-encore#webpack-dev-server#chokidar#fsevents#node-pre-gyp" depends on it.
    Done in 1.41s.

Is it possible to have sass-loader use a more modern tar version?
@Lyrkan
Copy link
Collaborator

Lyrkan commented Apr 13, 2019

Hi @damiarita,

Not much we can do on our side... and no "proper" solution is available yet.

The following PR could solve the issue if merged/released: nodejs/node-gyp#1718
I suggest you to read the following thread for workarounds in the meantime: sass/node-sass#2625

Another solution could be to use Dart Sass instead of Node Sass (since the sass-loader allows you to switch quite easily):

# Remove node-sass and replace it by sass
$ yarn remove node-sass
$ yarn add --dev sass
// webpack.config.js
const Encore = require('@symfony/webpack-encore');

Encore.enableSassLoader(options => {
  // The following line won't be needed anymore when
  // the next version of sass-loader is released
  options.implementation = require('sass');
});

@Lyrkan Lyrkan closed this as completed Apr 13, 2019
@damiarita
Copy link
Author

Hi,

I followed the steps. But I get the same issue as in #422

This is the error:
Error: Install node-sass to use enableSassLoader()
yarn add node-sass --dev

I have tried both require('sass'); and require('dart-sass');

@Lyrkan
Copy link
Collaborator

Lyrkan commented Apr 14, 2019

@damiarita You may be using an old version of Encore, support for Dart Sass was added in 0.24.0.

@sotayamashita sotayamashita mentioned this issue Apr 15, 2019
Closed
@geoff-maddock
Copy link

@damiarita did you get a resolution here? I tried using sass as described here, even with webpack-encore 0.27.0, but it still says Error: Install node-sass to use enableSassLoader()

@Kocal
Copy link
Contributor

Kocal commented Jun 20, 2019

I think the best option is to drop node-sass for sass:

Encore.enableSassLoader(options => {
    options.implementation = require('sass');
})

@geoff-maddock
Copy link

Odd, I still get the error even after changing it. Seems like it's a dependency of encore still

@Lyrkan
Copy link
Collaborator

Lyrkan commented Jun 20, 2019

@geoff-maddock Could you share a repro?

I just tested it and it seems to work fine for a minimal setup:

// webpack.config.js
const Encore = require('@symfony/webpack-encore');

Encore
    .disableSingleRuntimeChunk()
    .setOutputPath('build')
    .setPublicPath('/build')
    .enableSassLoader(options => {
        options.implementation = require('sass');
    })
    .addEntry('scss', './style.scss')
;

module.exports = Encore.getWebpackConfig();
$ yarn add @symfony/webpack-encore sass-loader sass
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved 563 new dependencies.
info Direct dependencies
├─ @symfony/webpack-encore@0.27.0
├─ sass-loader@7.1.0
└─ sass@1.21.0

$ yarn encore production
yarn run v1.13.0

 DONE  Compiled successfully in 823ms

 I  2 files written to build
Entrypoint scss = scss.css scss.js

$ yarn audit
yarn audit v1.13.0
0 vulnerabilities found - Packages audited: 13442

Also there isn't any vulnerability issue anymore with node-sass either:

$ yarn remove sass
yarn remove v1.13.0
[1/2] Removing module sass...
[2/2] Regenerating lockfile and installing missing dependencies...
success Uninstalled packages.

$ yarn add node-sass
yarn add v1.13.0
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved 72 new dependencies.
info Direct dependencies
└─ node-sass@4.12.0

$ yarn audit
yarn audit v1.13.0
0 vulnerabilities found - Packages audited: 11854

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@geoff-maddock @Lyrkan @Kocal @damiarita