XhmikosR
commented
2 years ago @xzyfer I don't think this is possible since it would break semver, right? If so, I'd close the issue.
Closed evansrobert closed 2 years ago
XhmikosR
commented
2 years ago @xzyfer I don't think this is possible since it would break semver, right? If so, I'd close the issue.
xzyfer
commented
2 years ago gulp-sass does not depend on node-sass directly anymore. The node-sass version can be updated in dependently by the end user any time.
Hi, @xzyfer,
Issue Description
When I build my project, I notice that gulp-sass@4.1.1 directly depends on trim-newlines@1.0.0. However, the vulnerability(high severity) CVE-2021-33623 is detected in package trim-newlines(<3.0.1,>=4.0.0 <4.0.1).
As far as I aware, gulp-sass@4.1.1 is so popular that a large number of latest versions of active and popular downstream projects depend on it (66,984 downloads per week and about 425 downstream projects, e.g., ws-voice-infinity-global-module 0.9.62, tnx-shared 0.1.279, @egis/build-tools 11.4.1, @core-edu/ui 1.0.260, @penskemediacorp/larva 0.3.1, etc.). In this case, the vulnerability CVE-2021-33623 can be propagated into these downstream projects and expose security threats to them. As you can see, gulp-sass@4.1.1 is introduced into the above projects via the following package dependency paths: (1)
@anysols/server-service@1.2.3 ➔ @anysols/anysols-ui@0.2.0 ➔ gulp-sass@4.1.1 ➔ node-sass@4.14.1 ➔ meow@3.7.0 ➔ trim-newlines@1.0.0......I know that it's kind of you to have removed the vulnerability since gulp-sass@5.0.0. But, in fact, the above large amount of downstream projects cannot easily upgrade gulp-sass from version *_4.1.** to (>=5.0.0)_: The projects such as @anysols/anysols-ui, which introduced gulp-sass@4.1.1, are not maintained anymore. These unmaintained packages can neither upgrade gulp-sass nor be easily migrated by the large amount of affected downstream projects.
Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package gulp-sass@4.1.1?
Suggested Solution
As you know, since these inactive projects set a version constaint 4.1.* for gulp-sass on the above vulnerable dependency paths, if gulp-sass removes the vulnerability from 4.1.1 and releases a new patched version gulp-sass@4.1.2, such a vulnerability patch can be automatically propagated into the downstream projects.
In gulp-sass@4.1.2, you can simply try to perform the following upgrade:
node-sass ^4.8.3 ➔ ^6.0.1;Note: node-sass@6.0.1(>=6.0.1) transitively depends on trim-newlines@3.0.1 which has fixed the vulnerability (CVE-2021-33623) Of course, you are welcome to share other ways to resolve the issue.
Thank you for your contributions to the downstream users.^_^