anthonydillon
commented
4 years ago Isn't eslint a dev dependency? Why is that appearing in the dep tree when installing sass-lint in other projects?
Open markgoho opened 5 years ago
anthonydillon
commented
4 years ago Isn't eslint a dev dependency? Why is that appearing in the dep tree when installing sass-lint in other projects?
Jelle-S
commented
4 years ago @anthonydillon It is in develop, so it seems, but not in the latest stable release: https://github.com/sasstools/sass-lint/blob/v1.13.1/package.json#L32
anthonydillon
commented
4 years ago @Jelle-S thanks, is there a plan to do a release soon?
Jelle-S
commented
4 years ago I have no idea, since I'm not a maintainer of this project ;)
Tagging the most active contributors: @DanPurdy @bgriffith
pehbehbeh
commented
4 years ago globule is also affected:
$ yarn audit
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.12 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sass-lint │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ sass-lint > eslint > inquirer > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1065 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.12 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sass-lint │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ sass-lint > eslint > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1065 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.12 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sass-lint │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ sass-lint > eslint > table > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1065 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.12 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sass-lint │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ sass-lint > globule > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1065 │
└───────────────┴──────────────────────────────────────────────────────────────┘
4 vulnerabilities found - Packages audited: 15866
Severity: 4 High
o-mdr
commented
4 years ago Hey guys, will it be possible to get the lib updated? Thank you :)
damienwebdev
commented
4 years ago @srowhani @DanPurdy Can we get one of you to take a look at this?
I think, if there's no breaking changes, backporting the latest eslint into stable as v1.13.2. While the attack surface for this vulnerability is minor, no one likes warnings. Or, as another has already mentioned, if this is actually a devDependency, remove it from dependencies.
Additionally, given what I see occurred with v1.13.0, can we open another issue to actually indicate who the current maintainers of this repo are in the README?
DanPurdy
commented
4 years ago hi all unfortunately eslint in v1 is a dependency due to sass-lint directly using its formatters. A major update for them 'could' be a major update for sass-lint and iirc there were issues around it when tested but it has been a while...
Unfortunately this project has been pretty much dead for 2 years (since October 2017) bar the unfortunate broken release, the work in the develop branch is as yet unfinished v2 which removes this need for eslint but its not near a ready state to be released and there's as yet no plans to finish it i'm afraid.
YodasWs
commented
3 years ago hi all unfortunately eslint in v1 is a dependency due to sass-lint directly using its formatters.
This would explain #1324
weex
commented
2 years ago Came here due to GitHub's security alert on merge. Is there a community-driven fork of sass-lint that people would recommend going forward?
Security vulnerability warning from Github today. This would be a major update to sass-lint's dependencies. I'm not sure how the repo owner would like to proceed.