[email protected])

Created on 14 Mar 2018 · 8Comments · Source: sass/node-sass

The latest version [email protected] uses request@~2.79.0. However, request@~2.79.0 has a vulnerability which is introduced by [email protected]. More information is here:

https://nodesecurity.io/advisories/566
https://snyk.io/vuln/npm:hoek:20180212

Could you please update request to the latest version to solve the vulnerability? Thank you so much.

NPM version (npm -v): 5.4.2
Node version (node -v): v8.8.1
Node Process (node -p process.versions):

{ 
  http_parser: '2.7.0',
  node: '8.8.1',
  v8: '6.1.534.42',
  uv: '1.15.0',
  zlib: '1.2.11',
  ares: '1.10.1-DEV',
  modules: '57',
  nghttp2: '1.25.0',
  openssl: '1.0.2l',
  icu: '59.1',
  unicode: '9.0',
  cldr: '31.0.1',
  tz: '2017b' 
}

Node Platform (node -p process.platform): darwin
Node architecture (node -p process.arch): x64
node-sass version (node -p "require('node-sass').info"):

node-sass   4.7.2   (Wrapper)   [JavaScript]
libsass     3.5.0.beta.2    (Sass Compiler) [C/C++]

npm node-sass versions (npm ls node-sass):

[email protected] /Users/microsoft/Michael/MicrosoftRepo/cla/cla-assistant
└─┬ [email protected]
  └── [email protected]

Source

MichaelTsengLZ

Most helpful comment

Just a heads-up: GitHub is now flagging up this vulnerability on any repos that have Node-Sass in the package-lock.json (at least in Node-Sass 4.9.0).

philwareham on 27 Apr 2018

👍9

All 8 comments

Duplicate of a bunch of existing tickets. See #2355 for the new general tracking issue

nschonni on 14 Mar 2018

Just a heads-up: GitHub is now flagging up this vulnerability on any repos that have Node-Sass in the package-lock.json (at least in Node-Sass 4.9.0).

philwareham on 27 Apr 2018

👍9

@philwareham I installed the v5 branch with:

npm install --save https://github.com/sass/node-sass/tarball/v5

And that fixed the hoek problem due to the request version being updated in node-sass. Everything seems to work fine for me, but my project is pretty simple as far as SASS is concerned.

Your mileage may vary...

asommer70 on 27 Apr 2018

🎉3

Any chance we get the v5 branch on npm as node-sass@next?

jgmcelwain on 27 Apr 2018

The API hasn't stabilised yet

On Sat., 28 Apr. 2018, 12:06 am Jamie McElwain, notifications@github.com
wrote:

Any chance we get the v5 branch on npm as node-sass@next?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/sass/node-sass/issues/2288#issuecomment-384980415,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAjZWJX7MMblRppAxXtOqYhJxTpWe0Svks5tsyXUgaJpZM4Sq3ob
.

xzyfer on 27 Apr 2018

If you desperately need to work around this issue you can install
[email protected] exactly. It is the last version before we locked down the
request version range.

On Sat., 28 Apr. 2018, 12:44 am Michael Mifsud, xzyfer@gmail.com wrote:

The API hasn't stabilised yet

On Sat., 28 Apr. 2018, 12:06 am Jamie McElwain, notifications@github.com
wrote:

Any chance we get the v5 branch on npm as node-sass@next?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/sass/node-sass/issues/2288#issuecomment-384980415,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAjZWJX7MMblRppAxXtOqYhJxTpWe0Svks5tsyXUgaJpZM4Sq3ob
.

xzyfer on 27 Apr 2018

Okay I fixed my issue, ty @xzyfer for your suggestion - but due my own package.lock needing request version range, and every time I tried to install [email protected] it kept denying me, something about other packages relying on dependencies of node-sass or request.. not sure as can't seem to find the error within the window now 😭

My Solution

Fixed by updating all first level package.lock dependencies that have their own dependency of hoek somewhere down the chain, fixed for all apart from node-sass which had to use @asommer70's suggestion.

Now no security error 🎉 👍

EmilyRosina on 27 Apr 2018

@EmilyRosina I tried to install v5 via the tarball as @asommer70 suggested, but get a bunch of error messages. It seems to want to use python2 among other things, and I have python3 installed. Not sure what to do to fix it.

Shout out if you have any thoughts :)