Regular expression denial of service in scss-tokenizer

department-of-veterans-affairs / va.gov-cms

Editor-centered management for Veteran-centered content.

https://prod.cms.va.gov

GNU General Public License v2.0

96 stars 70 forks source link

Regular expression denial of service in scss-tokenizer #18055

Closed edmund-dunn closed 2 weeks ago

edmund-dunn commented 4 months ago

Description

This is partly a discovery ticket. If you find this is blocked because of version issues, especially with node please annotate that in the Confluence page and here in the ticket.

One other package sass-graph depends on an early version of this. Worst case is that two packages need to be upgraded, so this shouldn’t be too difficult.

Acceptance Criteria

[ ] Upgrade scss-tokenizer to >= 0.4.3

JakeBapple commented 2 months ago

Currently, I believe the node-sass package requires sass-graph, which requires scss-tokenizer. So I believe we need to update the dependency of the tokenizer and graph within node-sass.

JakeBapple commented 1 month ago

this PR was merged and the work here should be good to go @gracekretschmer-metrostar

https://github.com/department-of-veterans-affairs/content-build/pull/2182