Node-sass: v4.11.0 and v4.12.0 binaries say using libsass 3.5.4 instead of 3.5.5

Created on 2 Apr 2019  路  4Comments  路  Source: sass/node-sass

What the title says... at least for me, after doing a clean install of node-sass: 

> npx node-sass --version
node-sass       4.11.0  (Wrapper)       [JavaScript]
libsass         3.5.4   (Sass Compiler) [C/C++]
> npm --version 
6.4.1
> node --version
v11.2.0

Please release a new version with 3.5.5 (or later) due to security vulnerabilities.

And at a minimum the documentation should be updated to state the version it actually uses.

If needed I can try to submit a PR.

(Windows 10 Enterprise, vr 10.0.16299, 64bit)

Bug - Confirmed Module - Binding
Source
picture narve
👍1

All 4 comments

Thanks @narve same here, I just checked as well. My security vulnerability scanners are crying since yesterday under CVE-2018-11693.

saifali96 picture saifali96 on 2 Apr 2019

4.12 still references 3.5.4

wesgro picture wesgro on 15 May 2019

Same here, 4.12 referencing libsass 3.5.4, triggering vulnerabilities and making our security folks unhappy.

hoona picture hoona on 20 May 2019
😕3

From what I see only the version number did not get updated. The code is really using libsass 3.5.5.

saper picture saper on 17 Oct 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

NathanKleekamp picture NathanKleekamp  路  4Comments
liuyuqiang picture liuyuqiang  路  3Comments
goseesomething picture goseesomething  路  3Comments
YepFury picture YepFury  路  4Comments
pulkitnandan picture pulkitnandan  路  4Comments