package dependency scss-tokenizer flaged unsafe

xzyfer / sass-graph

Parses import dependencies from a directory of sass files

MIT License

76 stars 59 forks source link

Closed vycos-zen closed 2 years ago

vycos-zen commented 2 years ago

Regular expression denial of service in scss-tokenizer

symptom: yarn.lock indicates a dependency to scss-tokenizer: ^0.3.0, trigering a dependabot warning

Severity High 7.5/ 10

scss-tokenizer current version is 0.4.2

expected outcome: no safety warning to the package.

is it possible to update this package?

SmolinPavel commented 2 years ago

Yeah, this vulnerability has been promoted from moderate to high, so looks like it should be addressed.

paulrrogers commented 2 years ago

This scss-tokenizer fork claims to have a fix. 🤞 it will be accepted upstream.

mporkola commented 2 years ago

It was merged, now we just need update the dependency version in sass-graph. @xzyfer would you be able to do it, pretty please? 🙏

github-sj commented 2 years ago

Can somebody please provide an ETA on when this can be done?

xzyfer commented 2 years ago

Fixed in v4.0.1

github-sj commented 2 years ago

Fixed in v4.0.1

Thank you very much.

vycos-zen commented 2 years ago

sweet! thank you.