Update dep sass-loader to fix critical security vulnerability downstream of react-scripts #8357
Labels
Comments
|
This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs. |
|
This issue has been automatically closed because it has not had any recent activity. If you have a question or comment, please open a new issue. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Describe the bug
sass-loader has a downstream dependency that has a security vulnerability that has been rated highly in CVE.
When this issue in sass-loader is addressed, react-scripts needs to be updated as well to use the latest version.
Otherwise, running a security scan (e.g., whitesource) on any project using react-scripts flags the security vulnerability.
This vulnerability comes from kind-of, which is used in clone-deep, which is used in sass-loader. This leads to any projects using sass-loader to be flagged.
The original vulnerability has been fixed in kind-of 6.0.3:
According to the discussion in jonschlinkert/kind-of#33, this only affects kind-of 6.0+.
However, kind-of 6.0.2 (without the fix) is still used in clone-deep, which is used by sass-loader.
In clone deep I've opened a PR to use the fixed version.
The issue affects every single version of sass-loader that uses above clone-deep v1.0
Therefore, I've created an issue in sass-loader to update their clone-deep version ASAP when a new release is available
When sass-loader is updated, react-scripts must also be updated.
Did you try recovering your dependencies?
na
Which terms did you search for in User Guide?
na
Environment
na
Steps to reproduce
The text was updated successfully, but these errors were encountered: