Bump sass-graph@4.0.1 or sass-graph@^4.0.1. Vulnerability in node-sass > sass-graph > scss-tokenizer
TarasIrisCRM opened this issue · comments
TarasLutsiuk - NMI commented
- NPM version (
npm -v
): 8.5.5 - Node version (
node -v
): v16.16.0 - Node Process (
node -p process.versions
):
{
node: '16.16.0',
v8: '9.4.146.24-node.21',
uv: '1.43.0',
zlib: '1.2.11',
brotli: '1.0.9',
ares: '1.18.1',
modules: '93',
nghttp2: '1.47.0',
napi: '8',
llhttp: '6.0.7',
openssl: '1.1.1q+quic',
cldr: '40.0',
icu: '70.1',
tz: '2021a3',
unicode: '14.0',
ngtcp2: '0.1.0-DEV',
nghttp3: '0.1.0-DEV'
} - Node Platform (
node -p process.platform
): linux - Node architecture (
node -p process.arch
): x64 - node-sass version (
node -p "require('node-sass').info"
):
node-sass 7.0.1 (Wrapper) [JavaScript]
libsass 3.5.5 (Sass Compiler) [C/C++] - npm node-sass versions (
npm ls node-sass
):
+-- node-sass@7.0.1
++-- sass-loader@12.4.0
+++-- node-sass@7.0.1 deduped
There is the following dependencies tree:
─┬ node-sass@7.0.1
│ └┬ sass-graph@4.0.0
│ │└─ scss-tokenizer@0.3.0
The scss-tokenizer@0.3.0 have the following vulnerability issues:
GHSA-7mwh-4pqv-wmr8
https://security.snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884
Is there a chance that sass-graph@4.0.0 dependency can be updated in order to fix the issue?
Thank you!
github-sj commented
Can somebody please provide an ETA on when this can be done?