Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump sass-graph@^4.0.1 #3292

Merged
merged 2 commits into from Sep 8, 2022
Merged

Bump sass-graph@^4.0.1 #3292

merged 2 commits into from Sep 8, 2022

Conversation

akhilgkrishnan
Copy link
Contributor

@akhilgkrishnan akhilgkrishnan commented Sep 1, 2022
edited

Fixes #3293
reference: CVE-2022-25758

Regular expression denial of service in scss-tokenizer

@pitgrap
Copy link

pitgrap commented Sep 1, 2022

I thought this will remove the vulnerability, but it doesn't because it is added here without ^. 😥
@akhilgkrishnan, could you please change the dependency to to "sass-graph": "^4.0.1" to avoid manual updates for future releases?

@akhilgkrishnan
Copy link
Contributor Author

I thought this will remove the vulnerability, but it doesn't because it is added here without ^. 😥 @akhilgkrishnan, could you please change the dependency to to "sass-graph": "^4.0.1" to avoid manual updates for future releases?

Sure, @pitgrap I'll update that

pitgrap
pitgrap approved these changes Sep 1, 2022
View reviewed changes
Copy link

@pitgrap pitgrap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@akhilgkrishnan
Copy link
Contributor Author

akhilgkrishnan commented Sep 1, 2022
edited

@xzyfer, @nschonni Can you review this PR

@akhilgkrishnan akhilgkrishnan changed the title Bump sass-graph@4.0.1 Bump sass-graph@^4.0.1 Sep 2, 2022
@abelmark
Copy link

abelmark commented Sep 2, 2022
edited

@xzyfer @nschonni any chance you could make this a priority? This is affecting a lot of enterprise users. Thank you!

@alexmk92 alexmk92 mentioned this pull request Sep 2, 2022
Closed
@abelmark
Copy link

abelmark commented Sep 7, 2022

@xzyfer @nschonni bump

@xzyfer
Copy link
Contributor

xzyfer commented Sep 8, 2022

I'll try to cut a release tonight

@xzyfer xzyfer merged commit c716359 into sass:master Sep 8, 2022
@xzyfer
Copy link
Contributor

xzyfer commented Sep 8, 2022

v7.0.2 is published

@xzyfer xzyfer mentioned this pull request Sep 8, 2022
Closed
@akhilgkrishnan akhilgkrishnan deleted the update-sass-graph branch September 12, 2022 05:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pitgrap pitgrap pitgrap approved these changes

@xzyfer xzyfer xzyfer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Bump sass-graph@4.0.1 or sass-graph@^4.0.1. Vulnerability in node-sass > sass-graph > scss-tokenizer
4 participants
@akhilgkrishnan @pitgrap @abelmark @xzyfer