New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-25758 Vulnerability #48
Comments
I'm also seeing this issue and there is no guidance on how to fix this vulnerability. |
if scss-tokenizer is a dependency of sass-loader, as it was in my lib sass-loader@12.6.0
then updating sass-loader@12.6.0 to sass-loader@13.0.2 In sass-loader@13.0.2 node-sass is an optional dependency |
Updating from |
@rbitting , are you updating from node-sass to sass or dark sass? I'm confused here. |
I don't have a lot of skin in the game anymore since, admittedly, after asking this question I realized that |
Thanks @curtvict |
Fixed in v0.4.3 |
I'm not sure if this is the right place to bring this up, but https://nvd.nist.gov/vuln/detail/CVE-2022-25758 has never updated the affected versions to indicate < 0.4.3, though snyk has long-since recognized the fix https://security.snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884. Is there something that the maintainers of the library can do to help get the vulnerability details updated in NIST and other trackers? |
I'm getting a Dependabot warning in my project for this package: GHSA-7mwh-4pqv-wmr8
This previously opened issue also seems related: #45
The text was updated successfully, but these errors were encountered: