build(deps): ReDoS vulnerability from intermediate dependency #3125
Conversation
This comment has been minimized.
This comment has been minimized.
|
There is an issue with Alpine release checks, but I've checked PRs nearby and it looks like common issue |
| type: 'string', | ||
| }, | ||
| includePath: { | ||
| type: 'string', |
There was a problem hiding this comment.
I'm not sure this is fully equivalent with the below, since I think the API is expecting an array in all cases, which was why it coerced it if it wasn't. Maybe that isMultiple forces the same thing
There was a problem hiding this comment.
meow always returns array for isMultiple flags according documentation.
I checked behaviour and removed unnecessary code below as well: https://github.com/sass/node-sass/pull/3125/files/be85ce1818a68e45d4f40672fce5424a918bebd9#diff-66e4eb9929e494460303e4a5e5c4ea4252befaf983cc44bfea286987f0509ef9L285
This comment has been minimized.
This comment has been minimized.
|
Appreciate all your effort. This is released in 6.0.1. |
Should also make the move to ESM - quite many are starting to do it right now |
|
We're not open to adopting esm modules at this time. We want to minimise churn and limit releases to security patches and major compatibility issues. |
|
@xzyfer the security first, nice that this PR is merged. I was waiting for it, like for gulp-sass pull |
|
Thanks for the reminder @ljuroszekPerfectgym. I've released a 4.1.1 with the lodash update. |
|
hell yeah, thanks! |
|
Was this backported to 4.14.X version as well? |
|
Looks like we can back port this to 4.x by updating to meow@7 without too much happy. I'll try to cut a release in the next 48hrs. |
|
Are there still plans to back port this to 4.x? |
Hello folks,
CVE-2021-33623 describes ReDoS vulnerability from intermediate meow dependency, so I updated meow from 3.7.0 to 9.0.0.
Unfortunately I could not update to the latest version of meow (10.0.0), because meow code was migrated to ESM and node-sass requires node engine >= 12 according current package.json.