downgrade to node-sass 4.6.1 to get upgraded transitive dependencies #1287
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This attempts to fix the CVE-2018-3728 vulnerability that github identified and is yelling about on the front page of this repo.
The vulnerability is in
hoek 2.16.3
, which is pulled in as a transitive dependency a few layers down: https://github.com/broadinstitute/firecloud-ui/network/dependenciesThe direct dependency
node-sass
is the culprit; see sass/node-sass#2355. The fix I'm proposing is to downgrade node-sass. Version 4.6.1 of node-sass is the latest that depends on"request": "^2.79.0"
: https://github.com/sass/node-sass/blob/v4.6.1/package.json#L71, while version 4.9.0 of node-sass depends on"request": "~2.79.0"
: https://github.com/sass/node-sass/blob/v4.9.0/package.json#L71.This means that by using an earlier version of
node-sass
, we get a later version ofrequest
. The later version ofrequest
in turn pulls in (a couple layers down) a later version ofhoek
that doesn't have the vulnerability.To get a clean slate and rid ourselves of the older versions of node-sass, request, hawk, boom, sntp, and hoek - all the packages in the vulnerable dependency chain - I completely rebuilt package-lock.json. It's going to show a huge diff; remember this is an auto-generated file (my process was to rm package-lock.json; rm -rf node_modules; npm install).
Finally - one of our transitive dependencies moved from using
ajv
as a dependency to usingajv
as a peerDependency. Since peer dependencies aren't automatically installed, I added it to our direct dependency list in package.json.