CVE-2022-25758 Vulnerability

[curtvict]

I'm getting a Dependabot warning in my project for this package: https://github.com/advisories/GHSA-7mwh-4pqv-wmr8

This previously opened issue also seems related: https://github.com/sasstools/scss-tokenizer/issues/45

[amharris1331]

I'm also seeing this issue and there is no guidance on how to fix this vulnerability.

[melMass]

I'm also seeing this issue and there is no guidance on how to fix this vulnerability.

Because the solution should be fixed upstream, i.e here.

Is there an ETA to merge either this or #49 ? cc @xzyfer

[dolanite]

if scss-tokenizer is a dependency of sass-loader, as it was in my lib

sass-loader@12.6.0

node-sass@7.0.1

node-gyp@8.4.1

sass-graph@4.0.0

scss-tokenizer@0.3.0

then updating sass-loader@12.6.0 to sass-loader@13.0.2 resolves this issue

In sass-loader@13.0.2 node-sass is an optional dependency node-sass is deprecated, moving to Dart Sass is recommended

[rbitting]

Updating from node-sass to sass as recommended by @dolanite resolved the issue for me. Thanks!

[Flyingliuhub]

@rbitting , are you updating from node-sass to sass or dark sass? I'm confused here.

[curtvict]

I don't have a lot of skin in the game anymore since, admittedly, after asking this question I realized that node-sass was an unused dependency in my package, but from what I can tell from the sass package README is the Dart implementation of Sass.

[Flyingliuhub]

Thanks @curtvict

[xzyfer]

Fixed in v0.4.3

[paul-p-rga]

I'm not sure if this is the right place to bring this up, but https://nvd.nist.gov/vuln/detail/CVE-2022-25758 has never updated the affected versions to indicate < 0.4.3, though snyk has long-since recognized the fix https://security.snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884.

Is there something that the maintainers of the library can do to help get the vulnerability details updated in NIST and other trackers?