[Snyk] Upgrade sass from 1.47.0 to 1.53.0

[snyk-bot]

Snyk has created this PR to upgrade sass from 1.47.0 to 1.53.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 21 versions ahead of your current version.
• The recommended version was released a month ago, on 2022-06-22.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Arbitrary File Overwrite SNYK-JS-TAR-1536528	410/1000 Why? CVSS 8.2	No Known Exploit
	Arbitrary File Overwrite SNYK-JS-TAR-1536531	410/1000 Why? CVSS 8.2	No Known Exploit
	Arbitrary File Write SNYK-JS-TAR-1579147	410/1000 Why? CVSS 8.2	No Known Exploit
	Arbitrary File Write SNYK-JS-TAR-1579152	410/1000 Why? CVSS 8.2	No Known Exploit
	Arbitrary File Write SNYK-JS-TAR-1579155	410/1000 Why? CVSS 8.2	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	410/1000 Why? CVSS 8.2	Proof of Concept
	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	410/1000 Why? CVSS 8.2	No Known Exploit
	Command Injection SNYK-JS-LODASH-1040724	410/1000 Why? CVSS 8.2	Proof of Concept
	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	410/1000 Why? CVSS 8.2	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SSRI-1246392	410/1000 Why? CVSS 8.2	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-TERSER-2806366	410/1000 Why? CVSS 8.2	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-TERSER-2806366	410/1000 Why? CVSS 8.2	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	410/1000 Why? CVSS 8.2	No Known Exploit
	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	410/1000 Why? CVSS 8.2	No Known Exploit
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	410/1000 Why? CVSS 8.2	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	410/1000 Why? CVSS 8.2	Proof of Concept
	Information Exposure SNYK-JS-NANOID-2332193	410/1000 Why? CVSS 8.2	Proof of Concept
	Information Exposure SNYK-JS-NODEFETCH-2342118	410/1000 Why? CVSS 8.2	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-PARSEURL-2935944	410/1000 Why? CVSS 8.2	Proof of Concept
	Information Exposure SNYK-JS-PARSEURL-2935947	410/1000 Why? CVSS 8.2	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-PARSEURL-2942134	410/1000 Why? CVSS 8.2	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	410/1000 Why? CVSS 8.2	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	410/1000 Why? CVSS 8.2	No Known Exploit
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	410/1000 Why? CVSS 8.2	No Known Exploit
	Prototype Pollution SNYK-JS-MINIMIST-2429795	410/1000 Why? CVSS 8.2	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-PARSEURL-2936249	410/1000 Why? CVSS 8.2	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: sass

• 1.53.0 - 2022-06-22
  

  To install Sass 1.53.0, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

  Changes

  • Add support for calling var() with an empty second argument, such as var(--side, ).

  JS API

  • Fix a bug where meta.load-css() would sometimes resolve relative URLs incorrectly when called from a mixin using the legacy JS API.

  Embedded Sass

  • Respect npm's proxy settings when downloading the embedded Sass compiler.

  See the full changelog for changes in earlier releases.

• 1.52.3 - 2022-06-08
  

  To install Sass 1.52.3, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

  Changes

  • Fix crash when trailing loud comments (/* ... */) appear twice in a row across two different imports which themselves imported the same file each.

  See the full changelog for changes in earlier releases.

• 1.52.2 - 2022-06-03
  

  To install Sass 1.52.2, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

  Changes

  • Preserve location of trailing loud comments (/* ... */) instead of pushing the comment to the next line.

  See the full changelog for changes in earlier releases.

• 1.52.1 - 2022-05-20
  

  To install Sass 1.52.1, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

  Changes

  Command Line Interface

  • Fix a bug where --watch mode would close immediately in TTY mode. This was caused by our change to close --watch when stdin was closed outside of TTY mode, which has been reverted for now while we work on a fix.

  See the full changelog for changes in earlier releases.

• 1.52.0 - 2022-05-20
• 1.51.0 - 2022-04-26
• 1.50.1 - 2022-04-19
• 1.50.0 - 2022-04-07
• 1.49.11 - 2022-04-01
• 1.49.10 - 2022-03-30
• 1.49.9 - 2022-02-24
• 1.49.8 - 2022-02-17
• 1.49.7 - 2022-02-01
• 1.49.6 - 2022-02-01
• 1.49.5 - 2022-02-01
• 1.49.4 - 2022-02-01
• 1.49.3 - 2022-02-01
• 1.49.2 - 2022-02-01
• 1.49.1 - 2022-01-31
• 1.49.0 - 2022-01-18
• 1.48.0 - 2022-01-13
• 1.47.0 - 2022-01-07

from sass GitHub release notes

Commit messages

Package name: sass

• fd4a30f Cut a release (#1726)
• c5e1f0b Add support for `var()` with an empty fallback argument (#1723)
• 8705c06 Fix a buggy interaction between meta.load-css and the legacy JS API (#1722)
• 4d6b762 Add a changelog entry for Use make-fetch-happen instead of node-fetch when downloading compiler sass/embedded-host-node#117 (#1719)
• 270f5c4 Deploy the Sass website using GitHub pages rather than Heroku (#1718)
• ae6275e fix serializing loud comment crash when importing the same file twice in a row (#1713)
• 44c2966 Add changelog for PR #849 about preserving trailing loud comment location (#1709)
• 1faf81c Fix #417 preserve the location of trailing loud comments (#849)
• cb74cc4 Run qemu in tmpfs (#1707)
• 46c2c9b Remove unused methods (#1702)
• e69d903 Mention Jest globals differ from Node globals jestjs/jest#2549 in the README (#1700)
• d17f70f Revert "Abort sass if stdin is closed when watching (#1411)" (#1699)
• 561fe25 Use "dart pub publish" instead of "pub publish" (#1698)
• fa0d2fb Add support for arbitrary modifiers after @ import (#1695)
• b19b3b1 Fix assertUnit and assertNoUnits (#1686)
• 2e7db70 Add documentation for using it with Docker (#1684)
• 1e211d6 Escape the source map URL before using it in a CSS comment (#1676)
• 7004d49 Fix the tracking of variable nodes for scopes (#1681)
• 0c24114 Update the order of maps returned by map.deep-merge() (#1680)
• 6eed6eb Fix the string representations of the Sass AST (#1682)
• fbd450b Cut a release (#1671)
• 3dbb552 Add a changelog entry for Treat null importer as noOp if url is not a file: url sass/dart-sass-embedded#83 and Set a FileSystemImporter if custom importer is not given for legacy API sass/embedded-host-node#128 (#1668)
• 039f2ad Add support for :where() (#1662)
• c7ab426 Abort sass if stdin is closed when watching (#1411)

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs