build(gulp-sass): update to new version

[Splaktar]

Bug, enhancement request, or proposal:

Proposal

What is the expected behavior?

The project's dependencies are verified as secure.

What is the current behavior?

There is a warning due to an out of date sub-dependency of gulp-sass and node-sass. This only effects the library's build tooling and not the deployment assets or any application built with the library.

What is the use-case or motivation for changing an existing behavior?

Compliance.

Which versions of AngularJS, Material, OS, and browsers are affected?

• AngularJS Material: 1.1.9 and prior

Is there anything else we should know? Stack Traces, Screenshots, etc.

N/A

[Splaktar]

This is related to the following issues:
sass/node-sass#2355
dlmanning/gulp-sass#687
dlmanning/gulp-sass#691

We pull two vulnerable dependencies in via gulp-sass which depends on node-sass.

According to the node-sass issue, they are waiting for v5 of node-sass before they fix the hoek vulnerability which actually comes from the request library. v5 is supposed to be released within 2-3 weeks.

So we'll need to wait for the node-sass v5 release, which is tracked in sass/node-sass#2312, and then wait for gulp-sass to update node-sass and remediate the vulnerability related to tunnel-agent dependency as reported in dlmanning/gulp-sass#691.

[Splaktar]

Still blocked by node-sass's v5 release which has pushed from 2-3 weeks to 4-5+ with no real sign that it is going to happen soon.

[Splaktar]

node-sass released v4.9.1 to fix this issue earlier today: sass/node-sass#2355 (comment). It looks like our version of gulp-sass will pull in this version and the fix automatically now.

[Splaktar]

It looks like we're still pulling in vulnerable versions of hoek via karma@1.7.1 and karma-sauce-launcher@1.2.0.

[Splaktar]

I haven't yet tracked down the karma related issues, but nodejs/node-gyp#1471 is another Moderate level issue with hoek that should get resolved "soon". It looks like the PR is ready to be merged in node-gyp.