build(deps): ReDoS vulnerability from intermediate dependency

bin/node-sass

@@ -18,91 +18,127 @@ var Emitter = require('events').EventEmitter,
  * Initialize CLI
  */
 
-var cli = meow({
-  pkg: '../package.json',
+var cli = meow(`
+    Usage:
+      node-sass [options] <input.scss>
+      cat <input.scss> | node-sass [options] > output.css
+
+    Example: Compile foobar.scss to foobar.css
+      node-sass --output-style compressed foobar.scss > foobar.css
+      cat foobar.scss | node-sass --output-style compressed > foobar.css
+
+    Example: Watch the sass directory for changes, compile with sourcemaps to the css directory
+      node-sass --watch --recursive --output css
+        --source-map true --source-map-contents sass
+
+    Options
+      -w, --watch                Watch a directory or file
+      -r, --recursive            Recursively watch directories or files
+      -o, --output               Output directory
+      -x, --omit-source-map-url  Omit source map URL comment from output
+      -i, --indented-syntax      Treat data from stdin as sass code (versus scss)
+      -q, --quiet                Suppress log output except on error
+      -v, --version              Prints version info
+      --output-style             CSS output style (nested | expanded | compact | compressed)
+      --indent-type              Indent type for output CSS (space | tab)
+      --indent-width             Indent width; number of spaces or tabs (maximum value: 10)
+      --linefeed                 Linefeed style (cr | crlf | lf | lfcr)
+      --source-comments          Include debug info in output
+      --source-map               Emit source map (boolean, or path to output .map file)
+      --source-map-contents      Embed include contents in map
+      --source-map-embed         Embed sourceMappingUrl as data URI
+      --source-map-root          Base path, will be emitted in source-map as is
+      --include-path             Path to look for imported files
+      --follow                   Follow symlinked directories
+      --precision                The amount of precision allowed in decimal numbers
+      --error-bell               Output a bell character on errors
+      --importer                 Path to .js file containing custom importer
+      --functions                Path to .js file containing custom functions
+      --help                     Print usage info
+`, {
   version: sass.info,
-  help: [
-    'Usage:',
-    '  node-sass [options] <input.scss>',
-    '  cat <input.scss> | node-sass [options] > output.css',
-    '',
-    'Example: Compile foobar.scss to foobar.css',
-    '  node-sass --output-style compressed foobar.scss > foobar.css',
-    '  cat foobar.scss | node-sass --output-style compressed > foobar.css',
-    '',
-    'Example: Watch the sass directory for changes, compile with sourcemaps to the css directory',
-    '  node-sass --watch --recursive --output css',
-    '    --source-map true --source-map-contents sass',
-    '',
-    'Options',
-    '  -w, --watch                Watch a directory or file',
-    '  -r, --recursive            Recursively watch directories or files',
-    '  -o, --output               Output directory',
-    '  -x, --omit-source-map-url  Omit source map URL comment from output',
-    '  -i, --indented-syntax      Treat data from stdin as sass code (versus scss)',
-    '  -q, --quiet                Suppress log output except on error',
-    '  -v, --version              Prints version info',
-    '  --output-style             CSS output style (nested | expanded | compact | compressed)',
-    '  --indent-type              Indent type for output CSS (space | tab)',
-    '  --indent-width             Indent width; number of spaces or tabs (maximum value: 10)',
-    '  --linefeed                 Linefeed style (cr | crlf | lf | lfcr)',
-    '  --source-comments          Include debug info in output',
-    '  --source-map               Emit source map (boolean, or path to output .map file)',
-    '  --source-map-contents      Embed include contents in map',
-    '  --source-map-embed         Embed sourceMappingUrl as data URI',
-    '  --source-map-root          Base path, will be emitted in source-map as is',
-    '  --include-path             Path to look for imported files',
-    '  --follow                   Follow symlinked directories',
-    '  --precision                The amount of precision allowed in decimal numbers',
-    '  --error-bell               Output a bell character on errors',
-    '  --importer                 Path to .js file containing custom importer',
-    '  --functions                Path to .js file containing custom functions',
-    '  --help                     Print usage info'
-  ].join('\n')
-}, {
-  boolean: [
-    'error-bell',
-    'follow',
-    'indented-syntax',
-    'omit-source-map-url',
-    'quiet',
-    'recursive',
-    'source-map-embed',
-    'source-map-contents',
-    'source-comments',
-    'watch'
-  ],
-  string: [
-    'functions',
-    'importer',
-    'include-path',
-    'indent-type',
-    'linefeed',
-    'output',
-    'output-style',
-    'precision',
-    'source-map-root'
-  ],
-  alias: {
-    c: 'source-comments',
-    i: 'indented-syntax',
-    q: 'quiet',
-    o: 'output',
-    r: 'recursive',
-    x: 'omit-source-map-url',
-    v: 'version',
-    w: 'watch'
+  flags: {
+    errorBell: {
+      type: 'boolean',
+    },
+    functions: {
+      type: 'string',
+    },
+    follow: {
+      type: 'boolean',
+    },
+    importer: {
+      type: 'string',
+    },
+    includePath: {
+      type: 'string',
+      default: [process.cwd()],
+      isMultiple: true,
+    },
+    indentType: {
+      type: 'string',
+      default: 'space',
+    },
+    indentWidth: {
+      type: 'number',
+      default: 2,
+    },
+    indentedSyntax: {
+      type: 'boolean',
+      alias: 'i',
+    },
+    linefeed: {
+      type: 'string',
+      default: 'lf',
+    },
+    omitSourceMapUrl: {
+      type: 'boolean',
+      alias: 'x',
+    },
+    output: {
+      type: 'string',
+      alias: 'o',
+    },
+    outputStyle: {
+      type: 'string',
+      default: 'nested',
+    },
+    precision: {
+      type: 'number',
+      default: 5,
+    },
+    quiet: {
+      type: 'boolean',
+      default: false,
+      alias: 'q',
+    },
+    recursive: {
+      type: 'boolean',
+      default: true,
+      alias: 'r',
+    },
+    sourceMapContents: {
+      type: 'boolean',
+    },
+    sourceMapEmbed: {
+      type: 'boolean',
+    },
+    sourceMapRoot: {
+      type: 'string',
+    },
+    sourceComments: {
+      type: 'boolean',
+      alias: 'c',
+    },
+    version: {
+      type: 'boolean',
+      alias: 'v',
+    },
+    watch: {
+      type: 'boolean',
+      alias: 'w',
+    },
   },
-  default: {
-    'include-path': process.cwd(),
-    'indent-type': 'space',
-    'indent-width': 2,
-    linefeed: 'lf',
-    'output-style': 'nested',
-    precision: 5,
-    quiet: false,
-    recursive: true
-  }
 });
 
 /**
@@ -282,10 +318,6 @@ function watch(options, emitter) {
  */
 
 function run(options, emitter) {
-  if (!Array.isArray(options.includePath)) {
-    options.includePath = [options.includePath];
-  }
-
   if (options.directory) {
     if (!options.output) {
       emitter.emit('error', 'An output directory must be specified when compiling a directory');

package.json

@@ -60,7 +60,7 @@
     "get-stdin": "^4.0.1",
     "glob": "^7.0.3",
     "lodash": "^4.17.15",
-    "meow": "^3.7.0",
+    "meow": "^9.0.0",
     "mkdirp": "^0.5.1",
     "nan": "^2.13.2",
     "node-gyp": "^7.1.0",