-
Notifications
You must be signed in to change notification settings - Fork 1.3k
build(deps): ReDoS vulnerability from intermediate dependency #3125
Conversation
This comment has been minimized.
This comment has been minimized.
There is an issue with Alpine release checks, but I've checked PRs nearby and it looks like common issue |
type: 'string', | ||
}, | ||
includePath: { | ||
type: 'string', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure this is fully equivalent with the below, since I think the API is expecting an array in all cases, which was why it coerced it if it wasn't. Maybe that isMultiple
forces the same thing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
meow always returns array for isMultiple
flags according documentation.
I checked behaviour and removed unnecessary code below as well: https://github.com/sass/node-sass/pull/3125/files/be85ce1818a68e45d4f40672fce5424a918bebd9#diff-66e4eb9929e494460303e4a5e5c4ea4252befaf983cc44bfea286987f0509ef9L285
This comment has been minimized.
This comment has been minimized.
Appreciate all your effort. This is released in 6.0.1. |
Should also make the move to ESM - quite many are starting to do it right now |
We're not open to adopting esm modules at this time. We want to minimise churn and limit releases to security patches and major compatibility issues. |
@xzyfer the security first, nice that this PR is merged. I was waiting for it, like for gulp-sass pull |
Thanks for the reminder @ljuroszekPerfectgym. I've released a 4.1.1 with the lodash update. |
hell yeah, thanks! |
Was this backported to 4.14.X version as well? |
Looks like we can back port this to 4.x by updating to meow@7 without too much happy. I'll try to cut a release in the next 48hrs. |
Are there still plans to back port this to 4.x? |
Hello folks,
CVE-2021-33623 describes ReDoS vulnerability from intermediate meow dependency, so I updated meow from 3.7.0 to 9.0.0.
Unfortunately I could not update to the latest version of meow (10.0.0), because meow code was migrated to ESM and node-sass requires node engine >= 12 according current package.json.