package dependency scss-tokenizer flaged unsafe #118

vycos-zen · 2022-07-14T06:18:06Z

Regular expression denial of service in scss-tokenizer

symptom: yarn.lock indicates a dependency to scss-tokenizer: ^0.3.0, trigering a dependabot warning

Severity
High
7.5/ 10

scss-tokenizer current version is 0.4.2

expected outcome: no safety warning to the package.

is it possible to update this package?

SmolinPavel · 2022-07-14T11:51:09Z

Yeah, this vulnerability has been promoted from moderate to high, so looks like it should be addressed.

paulrrogers · 2022-07-19T14:27:42Z

This scss-tokenizer fork claims to have a fix. 🤞 it will be accepted upstream.

mporkola · 2022-08-10T10:39:55Z

It was merged, now we just need update the dependency version in sass-graph. @xzyfer would you be able to do it, pretty please? 🙏

github-sj · 2022-08-30T04:25:47Z

Can somebody please provide an ETA on when this can be done?

xzyfer · 2022-09-01T01:40:56Z

Fixed in v4.0.1

github-sj · 2022-09-01T04:13:46Z

Fixed in v4.0.1

Thank you very much.

vycos-zen · 2022-09-01T12:51:06Z

sweet! thank you.

Ohiekkar mentioned this issue Aug 11, 2022

Bump scss-tokenizer@^0.4.3 #119

Merged

xzyfer closed this as completed in #119 Sep 1, 2022

Provide feedback