Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sass-lint warns about a security vulnerability in minimist package (dependency) #1306

Open
ankitairen opened this issue May 19, 2020 · 3 comments
Open

sass-lint warns about a security vulnerability in minimist package (dependency) #1306

ankitairen opened this issue May 19, 2020 · 3 comments

Comments

@ankitairen
Copy link

To Reproduce
Steps to reproduce the behavior:
run npm audit with sass-lint latest version installed

Expected behavior
npm does not report any security vulnerabilities when sass-lint is defined in package.json.
Achievable if minimist is upgraded to >=1.2.3

What version of Sass Lint are you using?
1.12.1

What did you do? Please include the actual source code causing the issue
run npm audit with sass-lint latest version installed.
you will get a below report
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sass-lint [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ sass-lint > gonzales-pe-sl > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/1179
└───────────────┴──────────────────────────────────────────────────────────────┘

What did you expect to happen?
npm does not report any security vulnerabilities when sass-lint is defined in package.json.
Achievable if minimist is upgraded to >=1.2.3
@josundt
Copy link

josundt commented Dec 15, 2020

Could this be prioritized for 1.x and make one minor update (1.13.2)?

Just started using sass-lint 1.13.1, and it works like charm except for the problem that this security vulnerability is detected by npm audit.

This should probably be a fairly quick fix...

@SebastianMueller87
Copy link

SebastianMueller87 commented Jul 9, 2021
edited

It also warns about high vulnerability in merge. (Was also already mentioned in #1229).

sass-lint version: 1.13.1

high ...................... Prototype Pollution
Package ............... merge
Patched in ............. >=2.1.1
Dependency of ..... sass-lint
Path ....................... sass-lint > merge
More info .............. https://www.npmjs.com/advisories/1666

@designbyadrian
Copy link

designbyadrian commented Jun 13, 2022
edited

Critical: GHSA-xvch-5gv4-984h
sass-lint > gonzales-pe-sl > minimist

High: GHSA-7wpw-2hjm-89gp
sass-lint > merge

Moderate: GHSA-vh95-rmgr-6w4m
sass-lint > gonzales-pe-sl > minimist

I'm moving to Stylelint which is still maintained.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@designbyadrian @josundt @SebastianMueller87 @ankitairen