search

sasstools / sass-lint

Pure Node.js Sass linting
MIT License
1.77k stars 530 forks source link

sass-lint warns about a security vulnerability in minimist package (dependency) #1306

Open ankitairen opened 4 years ago

ankitairen commented 4 years ago

To Reproduce Steps to reproduce the behavior: run npm audit with sass-lint latest version installed

Expected behavior npm does not report any security vulnerabilities when sass-lint is defined in package.json. Achievable if minimist is upgraded to >=1.2.3

What version of Sass Lint are you using? 1.12.1

What did you do? Please include the actual source code causing the issue run npm audit with sass-lint latest version installed. you will get a below report ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ sass-lint [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ sass-lint > gonzales-pe-sl > minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/1179 │ └───────────────┴──────────────────────────────────────────────────────────────┘

What did you expect to happen? npm does not report any security vulnerabilities when sass-lint is defined in package.json. Achievable if minimist is upgraded to >=1.2.3

josundt commented 3 years ago

Could this be prioritized for 1.x and make one minor update (1.13.2)?

Just started using sass-lint 1.13.1, and it works like charm except for the problem that this security vulnerability is detected by npm audit.

This should probably be a fairly quick fix...

SebastianMueller87 commented 3 years ago

It also warns about high vulnerability in merge. (Was also already mentioned in #1229).

sass-lint version: 1.13.1

high ...................... Prototype Pollution Package ............... merge Patched in ............. >=2.1.1 Dependency of ..... sass-lint Path ....................... sass-lint > merge More info .............. https://www.npmjs.com/advisories/1666

designbyadrian commented 2 years ago

Critical: https://github.com/advisories/GHSA-xvch-5gv4-984h sass-lint > gonzales-pe-sl > minimist

High: https://github.com/advisories/GHSA-7wpw-2hjm-89gp sass-lint > merge

Moderate: https://github.com/advisories/GHSA-vh95-rmgr-6w4m sass-lint > gonzales-pe-sl > minimist

I'm moving to Stylelint which is still maintained.