New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NPM Advisory 961 - Denial of Service #2816
Comments
It would be nice if details were known... |
Getting vulnerability issues for this package
=== npm audit security report === Low Denial of Service Package node-sass Patched in No patch available Dependency of node-sass [dev] Path node-sass More info https://npmjs.com/advisories/961 |
Since this was closed for not meeting the template, hopefully including this information will allow the conversation to be started:
When I run |
From the npmjs page, for completion sake: Denial of Service Overview Remediation |
I think what @saper is getting at is that this advisor doesn't link to any CVE, so although it might be fixed in later libsass releases, there is no way of knowing. |
NPM website says this was reported by "Alexander Jordan", but with no link to the reporter. Quick googling suggests it may be @alexjordan, a security researcher with Oracle labs. Perhaps Alex will notice this mention and provide some more detail on this vulnerability. |
Same warning for me.
Will a patch be released? Thank you! |
There will be no patch unless the details of the issue will be disclosed to node-sass or libsass team. We don't know what is wrong. I have no idea what kind of funny vulnerability reporting process is this. We need a Github issue with details how to reproduce this problem, as for any other issue. |
For anyone having CI-related difficulties with this vuln but who intends to keep using node-sass, I recommend npm-audit-resolver: |
I'm the original reporter. The NPM security team should have disclosed the vulnerability (responsibly) to the maintainers and included its description and steps to reproduce. @saper let me know whether I should post details here or on a private channel like email. |
@alexjordan I tried the new GitHub Security Advisory thing, and invited you to the issue |
Thanks. Information provided there. |
Thanks for the extra details @alexjordan |
Update: npm were informed of an possible issue June 2019 |
Update: we have a patch ready to go but require time to prebuild the binaries. We expect to land within ~20hrs. The advisory should hopefully be resolved within 24hrs of that. |
This has been resolved in v4.13.1. Now we have to wait for npm to update it's advisory. |
yarn audit
is failing due to the newly posted advisory https://www.npmjs.com/advisories/961.Any plans on resolving this?
The text was updated successfully, but these errors were encountered: