Skip to content
This repository was archived by the owner on Jul 24, 2024. It is now read-only.

build(deps): ReDoS vulnerability from intermediate dependency#3125

Merged
xzyfer merged 1 commit into
sass:masterfrom
ykolbin:update_meow_dep
Jun 24, 2021
Merged

build(deps): ReDoS vulnerability from intermediate dependency#3125
xzyfer merged 1 commit into
sass:masterfrom
ykolbin:update_meow_dep

Conversation

@ykolbin

@ykolbin ykolbin commented Jun 7, 2021

Copy link
Copy Markdown
Contributor

Hello folks,

CVE-2021-33623 describes ReDoS vulnerability from intermediate meow dependency, so I updated meow from 3.7.0 to 9.0.0.
Unfortunately I could not update to the latest version of meow (10.0.0), because meow code was migrated to ESM and node-sass requires node engine >= 12 according current package.json.

@emiwidknowit

This comment has been minimized.

@ykolbin

ykolbin commented Jun 8, 2021

Copy link
Copy Markdown
Contributor Author

There is an issue with Alpine release checks, but I've checked PRs nearby and it looks like common issue

@sass sass deleted a comment Jun 9, 2021
Comment thread bin/node-sass
type: 'string',
},
includePath: {
type: 'string',

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this is fully equivalent with the below, since I think the API is expecting an array in all cases, which was why it coerced it if it wasn't. Maybe that isMultiple forces the same thing

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

meow always returns array for isMultiple flags according documentation.
I checked behaviour and removed unnecessary code below as well: https://github.com/sass/node-sass/pull/3125/files/be85ce1818a68e45d4f40672fce5424a918bebd9#diff-66e4eb9929e494460303e4a5e5c4ea4252befaf983cc44bfea286987f0509ef9L285

@tsmartt

This comment has been minimized.

@sass sass deleted a comment from TannerS Jun 15, 2021
@sass sass deleted a comment from tvdijen Jun 15, 2021
@xzyfer xzyfer merged commit 30a52f7 into sass:master Jun 24, 2021
@xzyfer

xzyfer commented Jun 24, 2021

Copy link
Copy Markdown
Contributor

Appreciate all your effort. This is released in 6.0.1.

@jimmywarting

Copy link
Copy Markdown
Contributor

because meow code was migrated to ESM

Should also make the move to ESM - quite many are starting to do it right now

@xzyfer

xzyfer commented Jun 24, 2021

Copy link
Copy Markdown
Contributor

We're not open to adopting esm modules at this time. We want to minimise churn and limit releases to security patches and major compatibility issues.

@ljuroszekPerfectgym

Copy link
Copy Markdown

@xzyfer the security first, nice that this PR is merged. I was waiting for it, like for gulp-sass pull

@xzyfer

xzyfer commented Jun 24, 2021

Copy link
Copy Markdown
Contributor

Thanks for the reminder @ljuroszekPerfectgym. I've released a 4.1.1 with the lodash update.

@psugihara-od

Copy link
Copy Markdown

hell yeah, thanks!

@arjunadeltoso

Copy link
Copy Markdown

Was this backported to 4.14.X version as well?

@xzyfer

xzyfer commented Jul 8, 2021

Copy link
Copy Markdown
Contributor

Looks like we can back port this to 4.x by updating to meow@7 without too much happy. I'll try to cut a release in the next 48hrs.

@justinwhall

Copy link
Copy Markdown

Are there still plans to back port this to 4.x?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Regular expression denial-of-service (ReDoS)- Vulnerability trim-newlines

10 participants