@nx/webpack > sass-loader version too old
vergilfromadyen opened this issue · comments
Vergil Penkov commented
@nx/webpack uses sass-loader@^12.2.0
which is 3 years old. It includes node-sass
as a peerDependency and since some npm 7+ installs peerDependencies by default, this leads to some pretty old software with several vulnerabilities getting auto-installed.
node-sass
has the following vulnerabilities reported:
- Out-of-Bounds: medium severity, https://snyk.io/vuln/SNYK-JS-NODESASS-535498
- NULL Pointer Dereference – high severity, https://snyk.io/vuln/SNYK-JS-NODESASS-535500
- Out-of-bounds Read – medium severity, https://snyk.io/vuln/SNYK-JS-NODESASS-540958
- Uncontrolled Recursion – medium severity, https://snyk.io/vuln/SNYK-JS-NODESASS-540964
- Denial of Service (DoS) – medium severity, https://snyk.io/vuln/SNYK-JS-NODESASS-540978
- NULL Pointer Dereference – medium severity, https://snyk.io/vuln/SNYK-JS-NODESASS-540992
- Out-of-Bounds – medium severity, https://snyk.io/vuln/SNYK-JS-NODESASS-540998
- Use After Free – high severity, https://snyk.io/vuln/SNYK-JS-NODESASS-541000
- Out-of-bounds Read – medium severity, https://snyk.io/vuln/SNYK-JS-NODESASS-541002
- Subdependency
request
: Server-side Request Forgery (SSRF) – medium severity, https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
The fix would be to update sass-loader to a recent version (14.2.1), and while the breaking changes are pretty small, I'm not sure how NX wants to handle them which is why I haven't opened a PR. That said, here is a cumulative list of breaking changes between v12 and v14:
- removed fibers support
- minimum supported Node.js version is 18.12.0 (627f55d)
- emit @warn at-rules as webpack warnings by default, if you want to revert behavior please use the warnRuleAsWarning option (webpack-contrib/sass-loader#1054) (58ffb68)