Update `node-sass` when it updates `request` to remove vulnerable `hoek` dependency

ShorensteinCenter / Benchmarks-Program

Free, open source data science metrics for MailChimp email lists, delivered via an email report

https://emailbenchmarking.com

MIT License

21 stars 6 forks source link

Update `node-sass` when it updates `request` to remove vulnerable `hoek` dependency #2

Closed hcharley closed 5 years ago

hcharley commented 6 years ago

https://github.com/sass/node-sass/pull/2170

williamhakim10 commented 6 years ago

@charlex node-sass is still getting flagged as having vulnerabilities due to node-gyp also relying on request which has the same prototype pollution vulnerability. This issue should remain open as we are waiting on a node-gyp.

Here's the relevant node-sass issue: https://github.com/sass/node-sass/issues/2355

Do note that gulp-sass doesn't actually have access to live code, so this bug isn't really a huge deal apart from making npm/github shut up.

williamhakim10 commented 5 years ago

Fixed with latest Node updates