Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade node-sass to resolve tar vulnerability #796

Closed
shawnbot opened this issue May 14, 2019 · 3 comments
Closed

Upgrade node-sass to resolve tar vulnerability #796

shawnbot opened this issue May 14, 2019 · 3 comments
Labels
area: tooling
Projects
Publishing workflow

Comments

@shawnbot
Copy link
Contributor

See sass/node-sass#2625 (comment) for why this is tricky to fix.

TL;DR: Deep down in our dependency tree (node-sassnode-gypnode-tar) lives an old version of tar that's susceptible to an arbitrary file overwrite vulnerability. We can't resolve it by just installing a newer version of tar; we're stuck waiting on a new node-sass release.
This was referenced May 14, 2019
Merged
Merged
@shawnbot shawnbot added this to Release backlog in 📦 Primer CSS release tracking Jul 26, 2019
@simurai simurai added this to To Do in Publishing workflow via automation Dec 31, 2019
@shawnbot
Copy link
Contributor Author

FYI, according to sass/node-sass#2625 (comment), running npm audit --fix and committing package-lock.json should resolve this now. ❤️

@simurai simurai mentioned this issue Sep 8, 2020
Merged
@simurai
Copy link
Contributor

simurai commented Sep 8, 2020

@shawnbot still thinking about Primer CSS.. 😄 ❤️

Gave this a try in #1161

@shawnbot
Copy link
Contributor Author

shawnbot commented Sep 8, 2020

@simurai Just going through my backlog of issues and trying to clean things up. I hope you're well!

@simurai simurai closed this as completed Nov 11, 2020
Publishing workflow automation moved this from To Do to Shipped 🚢 Nov 11, 2020
@github-actions github-actions bot mentioned this issue Nov 28, 2022
Open
This was referenced Dec 24, 2022
Open
Open
Open
Open
This was referenced Jan 1, 2023
Open
Open
This was referenced Jan 8, 2023
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: tooling
Projects
No open projects
Publishing workflow
  
Shipped 🚢
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shawnbot @yaili @simurai