search

sasstools / gulp-sass-lint

Gulp plugin for Sass Lint
MIT License
115 stars 43 forks source link

minimist package vulnerability #92

Closed IdanAdar closed 4 years ago

IdanAdar commented 4 years ago 
Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-sass-lint [dev]                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-sass-lint > sass-lint > gonzales-pe-sl > minimist       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179

@xzyfer

IdanAdar commented 4 years ago

Thanks @xzyfer - it looks like there are issues with generating a new npm release?

IdanAdar commented 4 years ago

@xzyfer Can you please open this ticket until you'll actually release a fixed version? I remind you this package is used in the wild and is vulnerable... I would really appreciate it if you could resolve the build issue...

dippas commented 4 years ago

Starting today I'm having this issue also. And I always keep my dependencies up to date

IdanAdar commented 4 years ago

Unfortunately security is not a top priority, it seems.

dippas commented 4 years ago

This has been fixed late March but so far no update in npm package. @xzyfer this is my only vulnerability.

dippas commented 3 years ago

Almost a year after this issue was open and even being fixed It was NOT UPDATED in npm package. @xzyfer @Snugug can you please update the npm package