New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerability [CVE-2021-3918] #3204
Comments
thanks for the issue. I believe If the aforementioned |
Moving away from request is an option already implemented in node-gyp v8 here - i.e. the clearest success path for node-sass to me looks like upgrading node-gyp from v7 plus any direct usages here in node-sass (as it is also in dependencies at the moment). However, another option is suggested here too, so it's possible it might get resolved upstream too. |
It also looks like others would like to move away from requests: #3200 |
is this project still being actively maintained? |
Anyone still looking into this issue? I am also facing the same issue. Latest version of json-schema (0.4.0) is available which has some vulnerability fixes but due to node-sass dependency couldn't upgrade. |
is it viable to uninstall |
for what it's worth, I replaced
|
|
yup @pzrq, I already took care of it and it was a breeze :) |
Should be resolved when #3209 is released. |
Fixed in 7.0.1. |
Dependency tree:
node-sass@5.0.0 > node-gyp@7.1.2 > request@2.88.2 > http-signature@1.2.0 > jsprim@1.4.1 > json-schema@0.2.3
CVE-2021-3918
I guess it's present
node-sass@6.0.0
andnode-sass@6.0.1
as well.The text was updated successfully, but these errors were encountered: