This repository was archived by the owner on Jul 24, 2024. It is now read-only.
This repository was archived by the owner on Jul 24, 2024. It is now read-only.
Security issue in dependencies #2355
Description
Update
Resolved in [email protected]. Upgrade to quiet npm.
[email protected] is vulnerable to CVE-2018-3728
for node-sass the problem comes from requiring [email protected] in the package.json
dependency tree is as follow for 4.8.3
and is the same for 4.9.0:
Fix
To fix this [email protected] or superior is required.
Context
- NPM version (
npm -v): 5.8.0 - Node version (
node -v): v9.11.1 - Node Process (
node -p process.versions):
{ http_parser: '2.8.0',
node: '9.11.1',
v8: '6.2.414.46-node.23',
uv: '1.19.2',
zlib: '1.2.11',
ares: '1.13.0',
modules: '59',
nghttp2: '1.29.0',
napi: '3',
openssl: '1.0.2o',
icu: '61.1',
unicode: '10.0',
cldr: '33.0',
tz: '2018c' }
- Node Platform (
node -p process.platform): linux - Node architecture (
node -p process.arch): x64 - node-sass version (
node -p "require('node-sass').info"):
node-sass 4.9.0 (Wrapper) [JavaScript]
libsass 3.5.4 (Sass Compiler) [C/C++]
- npm node-sass versions (
npm ls node-sass):
├─┬ [email protected]
│ └── [email protected] deduped
└── [email protected]
Related issues
request:
request/request#2926
request/request#2874
node-sass:
#2352
#2288
#2262
#2252
#2170
#2256
Problem
xzyfer in #2352
It cannot be fixed without break node < 4 support
I also see in #2288 that the problem is solved in node-sass v5.
So this ticket need to stay opened until v5 is released. Please don't close it.