This repository was archived by the owner on Jul 24, 2024. It is now read-only.
This repository was archived by the owner on Jul 24, 2024. It is now read-only.
Security issue in dependencies #2355
Description
Update
Resolved in node-sass@4.9.3. Upgrade to quiet npm.
hoek@2.16.3 is vulnerable to CVE-2018-3728
for node-sass the problem comes from requiring request@2.79.0 in the package.json
dependency tree is as follow for 4.8.3
node-sass@4.8.3
|-request@2.79.0
|-hawk@3.1.3
|-hoek@2.16.3
and is the same for 4.9.0:
node-sass@4.9.0
|-request@2.79.0
|-hawk@3.1.3
|-hoek@2.16.3
Fix
To fix this request@2.82.0 or superior is required.
Context
- NPM version (
npm -v): 5.8.0 - Node version (
node -v): v9.11.1 - Node Process (
node -p process.versions):
{ http_parser: '2.8.0',
node: '9.11.1',
v8: '6.2.414.46-node.23',
uv: '1.19.2',
zlib: '1.2.11',
ares: '1.13.0',
modules: '59',
nghttp2: '1.29.0',
napi: '3',
openssl: '1.0.2o',
icu: '61.1',
unicode: '10.0',
cldr: '33.0',
tz: '2018c' }
- Node Platform (
node -p process.platform): linux - Node architecture (
node -p process.arch): x64 - node-sass version (
node -p "require('node-sass').info"):
node-sass 4.9.0 (Wrapper) [JavaScript]
libsass 3.5.4 (Sass Compiler) [C/C++]
- npm node-sass versions (
npm ls node-sass):
├─┬ gulp-sass@4.0.1
│ └── node-sass@4.9.0 deduped
└── node-sass@4.9.0
Related issues
request:
request/request#2926
request/request#2874
node-sass:
#2352
#2288
#2262
#2252
#2170
#2256
Problem
xzyfer in #2352
It cannot be fixed without break node < 4 support
I also see in #2288 that the problem is solved in node-sass v5.
So this ticket need to stay opened until v5 is released. Please don't close it.