vijayhardaha
commented
4 years ago I am also getting 2 low severity vulnerabilities since today. Is patch coming soon from gulp-sass or from the node-sass team?
Closed Nikhilkapoor20 closed 4 years ago
vijayhardaha
commented
4 years ago I am also getting 2 low severity vulnerabilities since today. Is patch coming soon from gulp-sass or from the node-sass team?
dippas
commented
4 years ago Yes since yesterday I'm getting also that same vulnerability
eagerestwolf
commented
4 years ago That vulnerability is likely going to be falling deaf ears. This project seems abandoned. It hasn't been updated in almost a year, and it would seem that even the version of node-sass in use is well behind the current version. You can mitigate the problem however, by just passing in your own Sass compiler as shown in the readme. It's not an ideal solution, but not much we can do in the meantime. Maybe in the future we'll get an update or (if the author is willing) someone else could take over.
dippas
commented
4 years ago @eagerestwolf when you say:
You can mitigate the problem however, by just passing in your own Sass compiler as shown in the readme.
can you please elaborate on that and give an example of what implementation of the readme should be used in order to mitigate this issue?
xzyfer
commented
4 years ago This project is not dead, and no updates are required. Your lock file is simply out of date. Please familiarise yourself with how npm works.
Until then you can run npm update node-sass to update your lockfile to latest version node-sass.
Low Denial of Service
Package node-sass
Patched in No patch available
Dependency of gulp-sass [dev]
Path gulp-sass > node-sass
More info https://npmjs.com/advisories/961