Node-sass: NPM Audit issue

Created on 13 Sep 2019 · 4Comments · Source: sass/node-sass

Node : 10x
node-sass: 4.12.x

We have few security issues which need just dependency update.

Below is the list:-

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.12 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > sass-graph > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1065 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.2.2 <3.0.0 || >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ fstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=1.0.12 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > node-gyp > fstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/886 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ fstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=1.0.12 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > node-gyp > tar > fstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/886 │
└───────────────┴──────────────────────────────────────────────────────────────┘

Source

ietabhi

Most helpful comment

npm audit fix should resolve this issue since we lock the semver major
ranges of dependencies

On Fri, 13 Sep 2019, 8:02 pm Daniel West, notifications@github.com wrote:

I've had a report about mem having a vulnerability (on GitHub) which
links to this. Essentially if this package can use the latest sass-graph
package then that should resolve the moderate severity issue that GitHub
reports. Thanks maintainers for all your hard work on this package!

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/sass/node-sass/issues/2734?email_source=notifications&email_token=AAENSWG4TMWJNYQQJFXIO6LQJNQKVA5CNFSM4IWMHCXKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6USMEA#issuecomment-531179024,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAENSWHLKXX5A7UI42MKLIDQJNQKVANCNFSM4IWMHCXA
.

xzyfer on 13 Sep 2019

👍2

All 4 comments

When i run "yarn audit" got above log

ietabhi on 13 Sep 2019

I've had a report about mem having a vulnerability (on GitHub) which links to this. Essentially if this package can use the latest sass-graph package then that should resolve the moderate severity issue that GitHub reports. Thanks maintainers for all your hard work on this package!

silverbackdan on 13 Sep 2019

npm audit fix should resolve this issue since we lock the semver major
ranges of dependencies

On Fri, 13 Sep 2019, 8:02 pm Daniel West, notifications@github.com wrote:

I've had a report about mem having a vulnerability (on GitHub) which
links to this. Essentially if this package can use the latest sass-graph
package then that should resolve the moderate severity issue that GitHub
reports. Thanks maintainers for all your hard work on this package!

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/sass/node-sass/issues/2734?email_source=notifications&email_token=AAENSWG4TMWJNYQQJFXIO6LQJNQKVA5CNFSM4IWMHCXKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6USMEA#issuecomment-531179024,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAENSWHLKXX5A7UI42MKLIDQJNQKVANCNFSM4IWMHCXA
.