New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
yargs-parser vulnerabilities #108
Comments
Would be great to get a fix soon 👍 |
hey @xzyfer - I see node-sass attempts to keep a huge amount of node backcompat but there are no patched versions of yargs with explicit support for < node 4. I feel I've been staring at different version specifiers and dependency trees for so long I'm not sure of the best way forward. A possible option would be to split the cli-part of this repo out from the API? It seems there is no requirement to push yargs as a dependency down the tree for consumers that are only using this as an API. |
Hey @thomas-mcdonald I've been giving this some thought also, hence the delayed patch. As you've said node-sass maintains BC back node 0.10 - however it does not utilise the sass-graph cli. I have considered splitting out the cli function as you've also suggested but have decided against creating more ongoing work for myself. I think in this case we're ok to just bump the yargs dep. Node-sass BC should be fine since we shouldn't be excerising the yargs code paths. |
Note well also want to bump yargs dependency on the V2 branch since that's the version line node-sass currently uses |
Released as 3.0.5 and 2.2.5 |
can you please update your packages?
help a homie out :)
The text was updated successfully, but these errors were encountered: