Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v4.11.0 and v4.12.0 binaries say using libsass 3.5.4 instead of 3.5.5 #2621

Closed

Comments

@narve
Copy link

narve commented Apr 2, 2019

What the title says... at least for me, after doing a clean install of node-sass:

> npx node-sass --version
node-sass       4.11.0  (Wrapper)       [JavaScript]
libsass         3.5.4   (Sass Compiler) [C/C++]
> npm --version 
6.4.1
> node --version
v11.2.0

Please release a new version with 3.5.5 (or later) due to security vulnerabilities.

And at a minimum the documentation should be updated to state the version it actually uses.

If needed I can try to submit a PR.

(Windows 10 Enterprise, vr 10.0.16299, 64bit)

@saifali96
Copy link

Thanks @narve same here, I just checked as well. My security vulnerability scanners are crying since yesterday under CVE-2018-11693.

@wesgro
Copy link

wesgro commented May 15, 2019

4.12 still references 3.5.4

@hoona
Copy link

hoona commented May 20, 2019

Same here, 4.12 referencing libsass 3.5.4, triggering vulnerabilities and making our security folks unhappy.

@saper saper changed the title Vr 4.11 says it has upgraded libsass to 3.5.5 but it actually uses 3.5.4 v4.11.0 and v4.12.0 binaries say using libsass 3.5.4 instead of 3.5.5 Oct 17, 2019
@saper
Copy link
Member

saper commented Oct 17, 2019

From what I see only the version number did not get updated. The code is really using libsass 3.5.5.

saper added a commit to saper/node-sass that referenced this issue Oct 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment