Closed patrick-laa closed 3 months ago
sass
npm package is NOT vulnerable.
Please do not blindly trust the nearly useless automated scanners as they only do version checks and never check if an exploitable code path really exists.
Here is why it is not affected:
sass
sets disableGlobbing: true
, in chokidar it will create a WatchHelper
with path === watchPath
:
The hasGlob
attribute is set to false
:
https://github.com/paulmillr/chokidar/blob/7c50e25d10a497ce4409f6e52eb630f0d7647b97/index.js#L210
When hasGlob
is false
, getDirParts
, the only function that uses braces
, returns early without calling braces
:
TL;DR: Although braces
is installed as a transitive dependency of sass
, it's never used by sass
, thus sass
is not vulnerable.
Thank you for explaining so clearly!
sass
depends onchokidar
which depends onbraces
and as of today (13 May) there's an unpatched CVE https://www.cve.org/CVERecord?id=CVE-2024-4068 meaning that sass is flagged up as problematic by automated scanners such as Snyk.Just flagging this up - I don't know how likely to be fixed imminently this is, as the initial thread suggests this was first disclosed in September.