Security vulnerability [CVE-2021-3918]

[mertyildiran]

Dependency tree:
node-sass@5.0.0 > node-gyp@7.1.2 > request@2.88.2 > http-signature@1.2.0 > jsprim@1.4.1 > json-schema@0.2.3

CVE-2021-3918

I guess it's present node-sass@6.0.0 and node-sass@6.0.1 as well.

[arderyp]

thanks for the issue.

I believe node-sass directly requires request*^2.88.0

If the aforementioned request package is the same as this (repo), its been deprecated for the better part of a year and should thus be dropped altogether to solve this problem. In an ideal world. I'm not familiar enough with these packages myself to know how easy/feasible this would be.

[pzrq]

Moving away from request is an option already implemented in node-gyp v8 here - i.e. the clearest success path for node-sass to me looks like upgrading node-gyp from v7 plus any direct usages here in node-sass (as it is also in dependencies at the moment).

However, another option is suggested here too, so it's possible it might get resolved upstream too.

[pzrq]

It also looks like others would like to move away from requests: #3200

[arderyp]

is this project still being actively maintained?

[Delwalt]

Anyone still looking into this issue?

I am also facing the same issue. Latest version of json-schema (0.4.0) is available which has some vulnerability fixes but due to node-sass dependency couldn't upgrade.

[arderyp]

is it viable to uninstall node-sass and use sass instead?

[arderyp]

for what it's worth, I replaced node-sass with sass, which appears to be more actively maintained, and it "just worked" as a drop in solution:

yarn remove node-sass
yarn add sass
# run your rebuild

[pzrq]

is it viable to uninstall node-sass and use sass instead?

@arderyp Yes: https://sass-lang.com/documentation/js-api

[arderyp]

yup @pzrq, I already took care of it and it was a breeze :)

[xzyfer]

Should be resolved when #3209 is released.

[xzyfer]

Fixed in 7.0.1.