NPM Advisory 961 - Denial of Service #2816
Comments
It would be nice if details were known... |
Getting vulnerability issues for this package
=== npm audit security report === Low Denial of Service Package node-sass Patched in No patch available Dependency of node-sass [dev] Path node-sass More info https://npmjs.com/advisories/961 |
Since this was closed for not meeting the template, hopefully including this information will allow the conversation to be started:
When I run |
From the npmjs page, for completion sake: Denial of Service Overview Remediation |
I think what @saper is getting at is that this advisor doesn't link to any CVE, so although it might be fixed in later libsass releases, there is no way of knowing. |
NPM website says this was reported by "Alexander Jordan", but with no link to the reporter. Quick googling suggests it may be @alexjordan, a security researcher with Oracle labs. Perhaps Alex will notice this mention and provide some more detail on this vulnerability. |
Same warning for me.
Will a patch be released? Thank you! |
There will be no patch unless the details of the issue will be disclosed to node-sass or libsass team. We don't know what is wrong. I have no idea what kind of funny vulnerability reporting process is this. We need a Github issue with details how to reproduce this problem, as for any other issue. |
Update yarn audit severity flag in light of webpacker item. At present, no resolution is available from the maintainer (sass/node-sass#2816), therefore, the resolution approach is to allow informational and lows to return a standard exit code (rather than non-zero).
Update yarn audit severity flag in light of webpacker item. At present, no resolution is available from the maintainer (sass/node-sass#2816), therefore, the resolution approach is to allow informational and lows to return a standard exit code (rather than non-zero).
For anyone having CI-related difficulties with this vuln but who intends to keep using node-sass, I recommend npm-audit-resolver: |
I'm the original reporter. The NPM security team should have disclosed the vulnerability (responsibly) to the maintainers and included its description and steps to reproduce. @saper let me know whether I should post details here or on a private channel like email. |
@alexjordan I tried the new GitHub Security Advisory thing, and invited you to the issue |
Thanks. Information provided there. |
Thanks for the extra details @alexjordan |
Update: npm were informed of an possible issue June 2019 |
Update: we have a patch ready to go but require time to prebuild the binaries. We expect to land within ~20hrs. The advisory should hopefully be resolved within 24hrs of that. |
This has been resolved in v4.13.1. Now we have to wait for npm to update it's advisory. |
Thank you for addressing this issue so quickly! |
The vulnerability is fixed in 4.13.1: sass/node-sass#2816 (comment) But the dependency check plugin thinks its still broken as the affected/fixed versions has not been updated yet on Sonatype OSS Index: https://ossindex.sonatype.org/vuln/c97f4ae7-be1f-4f71-b238-7c095b126e74
The vulnerability is fixed in 4.13.1: sass/node-sass#2816 (comment) But the dependency check plugin thinks its still broken as the affected/fixed versions has not been updated yet on Sonatype OSS Index: https://ossindex.sonatype.org/vuln/c97f4ae7-be1f-4f71-b238-7c095b126e74
The vulnerability is fixed in 4.13.1: sass/node-sass#2816 (comment) But the dependency check plugin thinks its still broken as the affected/fixed versions has not been updated yet on Sonatype OSS Index: https://ossindex.sonatype.org/vuln/c97f4ae7-be1f-4f71-b238-7c095b126e74
The vulnerability is fixed in 4.13.1: sass/node-sass#2816 (comment) But the dependency check plugin thinks its still broken as the affected/fixed versions has not been updated yet on Sonatype OSS Index: https://ossindex.sonatype.org/vuln/c97f4ae7-be1f-4f71-b238-7c095b126e74
yarn audit
is failing due to the newly posted advisory https://www.npmjs.com/advisories/961.Any plans on resolving this?
The text was updated successfully, but these errors were encountered: