You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When this issue in sass-loader is addressed, react-scripts needs to be updated as well to use the latest version.
Otherwise, running a security scan (e.g., whitesource) on any project using react-scripts flags the security vulnerability.
This vulnerability comes from kind-of, which is used in clone-deep, which is used in sass-loader. This leads to any projects using sass-loader to be flagged.
The original vulnerability has been fixed in kind-of 6.0.3:
However, kind-of 6.0.2 (without the fix) is still used in clone-deep, which is used by sass-loader.
In clone deep I've opened a PR to use the fixed version.
This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.
Describe the bug
sass-loader has a downstream dependency that has a security vulnerability that has been rated highly in CVE.
When this issue in sass-loader is addressed, react-scripts needs to be updated as well to use the latest version.
Otherwise, running a security scan (e.g., whitesource) on any project using react-scripts flags the security vulnerability.
This vulnerability comes from kind-of, which is used in clone-deep, which is used in sass-loader. This leads to any projects using sass-loader to be flagged.
The original vulnerability has been fixed in kind-of 6.0.3:
According to the discussion in jonschlinkert/kind-of#33, this only affects kind-of 6.0+.
However, kind-of 6.0.2 (without the fix) is still used in clone-deep, which is used by sass-loader.
In clone deep I've opened a PR to use the fixed version.
The issue affects every single version of sass-loader that uses above clone-deep v1.0
Therefore, I've created an issue in sass-loader to update their clone-deep version ASAP when a new release is available
When sass-loader is updated, react-scripts must also be updated.
Did you try recovering your dependencies?
na
Which terms did you search for in User Guide?
na
Environment
na
Steps to reproduce
The text was updated successfully, but these errors were encountered: