[Snyk] Security upgrade node-sass from 6.0.1 to 9.0.0

[karimkawambwa]

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Prototype Pollution SNYK-JS-LODASH-15053838	631

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​vuepress@​1.9.7

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: Exposure of Sensitive Information in npm eventsource CVE: GHSA-6h5x-7c5m-7cr7 Exposure of Sensitive Information in eventsource (CRITICAL) Affected versions: < 1.1.1; >= 2.0.0 < 2.0.2 Patched version: 1.1.1 From: ? → npm/vuepress@1.9.7 → npm/eventsource@1.1.0 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eventsource@1.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm form-data uses unsafe random function in form-data for choosing boundary CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL) Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4 Patched version: 2.5.4 From: ? → npm/vuepress@1.9.7 → npm/form-data@2.3.3 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/form-data@2.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Authorization Bypass Through User-Controlled Key in npm url-parse CVE: GHSA-hgjh-723h-mx2j Authorization Bypass Through User-Controlled Key in url-parse (CRITICAL) Affected versions: < 1.5.8 Patched version: 1.5.8 From: ? → npm/vuepress@1.9.7 → npm/url-parse@1.5.4 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/url-parse@1.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Prototype Pollution in npm async CVE: GHSA-fwr7-v2mv-hh25 Prototype Pollution in async (HIGH) Affected versions: >= 3.0.0 < 3.2.2; >= 2.0.0 < 2.6.4 Patched version: 2.6.4 From: ? → npm/vuepress@1.9.7 → npm/async@2.6.3 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/async@2.6.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm body-parser vulnerable to denial of service when url encoding is enabled CVE: GHSA-qwcr-r2fm-qrc7 body-parser vulnerable to denial of service when url encoding is enabled (HIGH) Affected versions: < 1.20.3 Patched version: 1.20.3 From: ? → npm/vuepress@1.9.7 → npm/body-parser@1.19.1 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/body-parser@1.19.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Uncontrolled resource consumption in npm braces CVE: GHSA-grv7-fg5c-xmjg Uncontrolled resource consumption in braces (HIGH) Affected versions: < 3.0.3 Patched version: 3.0.3 From: ? → npm/vuepress@1.9.7 → npm/braces@2.3.2 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/braces@2.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Uncontrolled resource consumption in npm braces CVE: GHSA-grv7-fg5c-xmjg Uncontrolled resource consumption in braces (HIGH) Affected versions: < 3.0.3 Patched version: 3.0.3 From: ? → npm/vuepress@1.9.7 → npm/braces@3.0.2 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/braces@3.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm buffer is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: ? → npm/vuepress@1.9.7 → npm/buffer@4.9.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/buffer@4.9.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: kangax npm html-minifier REDoS vulnerability CVE: GHSA-pfq8-rq6v-vf5m kangax html-minifier REDoS vulnerability (HIGH) Affected versions: <= 4.0.0 Patched version: No patched versions From: ? → npm/vuepress@1.9.7 → npm/html-minifier@3.5.21 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/html-minifier@3.5.21. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Denial of service in npm http-proxy-middleware CVE: GHSA-c7qv-q95q-8v27 Denial of service in http-proxy-middleware (HIGH) Affected versions: < 2.0.7; >= 3.0.0 < 3.0.3 Patched version: 2.0.7 From: ? → npm/vuepress@1.9.7 → npm/http-proxy-middleware@0.19.1 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/http-proxy-middleware@0.19.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Denial of service in npm http-proxy-middleware CVE: GHSA-c7qv-q95q-8v27 Denial of service in http-proxy-middleware (HIGH) Affected versions: < 2.0.7; >= 3.0.0 < 3.0.3 Patched version: 2.0.7 From: ? → npm/vuepress@1.9.7 → npm/http-proxy-middleware@1.3.1 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/http-proxy-middleware@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm ip SSRF improper categorization in isPublic CVE: GHSA-2p57-rm9w-gvfp ip SSRF improper categorization in isPublic (HIGH) Affected versions: <= 2.0.1 Patched version: No patched versions From: ? → npm/vuepress@1.9.7 → npm/ip@1.1.5 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ip@1.1.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Command Injection in lodash in npm lodash.template CVE: GHSA-35jh-r3h4-6jhm Command Injection in lodash (HIGH) Affected versions: <= 4.5.0 Patched version: No patched versions From: ? → npm/vuepress@1.9.7 → npm/lodash.template@4.5.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash.template@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm minimatch ReDoS vulnerability CVE: GHSA-f8q6-p94x-37v3 minimatch ReDoS vulnerability (HIGH) Affected versions: < 3.0.5 Patched version: 3.0.5 From: ? → npm/vuepress@1.9.7 → npm/minimatch@3.0.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimatch@3.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm node-forge has ASN.1 Unbounded Recursion CVE: GHSA-554w-wpv2-vw27 node-forge has ASN.1 Unbounded Recursion (HIGH) Affected versions: < 1.3.2 Patched version: 1.3.2 From: ? → npm/vuepress@1.9.7 → npm/node-forge@0.10.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-forge@0.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization CVE: GHSA-5gfm-wpxj-wjgq node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization (HIGH) Affected versions: < 1.3.2 Patched version: 1.3.2 From: ? → npm/vuepress@1.9.7 → npm/node-forge@0.10.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-forge@0.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Improper Verification of Cryptographic Signature in npm node-forge CVE: GHSA-x4jg-mjrx-434g Improper Verification of Cryptographic Signature in node-forge (HIGH) Affected versions: < 1.3.0 Patched version: 1.3.0 From: ? → npm/vuepress@1.9.7 → npm/node-forge@0.10.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-forge@0.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Improper Verification of Cryptographic Signature in npm node-forge CVE: GHSA-cfm4-qjh2-4765 Improper Verification of Cryptographic Signature in node-forge (HIGH) Affected versions: < 1.3.0 Patched version: 1.3.0 From: ? → npm/vuepress@1.9.7 → npm/node-forge@0.10.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-forge@0.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm path-to-regexp outputs backtracking regular expressions CVE: GHSA-9wv6-86v2-598j path-to-regexp outputs backtracking regular expressions (HIGH) Affected versions: >= 0.2.0 < 1.9.0; < 0.1.10; >= 7.0.0 < 8.0.0; >= 2.0.0 < 3.3.0; >= 4.0.0 < 6.3.0 Patched version: 0.1.10 From: ? → npm/vuepress@1.9.7 → npm/path-to-regexp@0.1.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/path-to-regexp@0.1.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm path-to-regexp contains a ReDoS CVE: GHSA-rhx6-c78j-4q9w path-to-regexp contains a ReDoS (HIGH) Affected versions: < 0.1.12 Patched version: 0.1.12 From: ? → npm/vuepress@1.9.7 → npm/path-to-regexp@0.1.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/path-to-regexp@0.1.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Cross-site Scripting in Prism in npm prismjs CVE: GHSA-3949-f494-cm99 Cross-site Scripting in Prism (HIGH) Affected versions: >= 1.14.0 < 1.27.0 Patched version: 1.27.0 From: ? → npm/vuepress@1.9.7 → npm/prismjs@1.26.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/prismjs@1.26.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm safer-buffer is 94.0% likely obfuscated Confidence: 0.94 Location: Package overview From: ? → npm/vuepress@1.9.7 → npm/safer-buffer@2.1.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/safer-buffer@2.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Path traversal in npm webpack-dev-middleware CVE: GHSA-wr3j-pwj9-hqq6 Path traversal in webpack-dev-middleware (HIGH) Affected versions: >= 7.0.0 < 7.1.0; >= 6.0.0 < 6.1.2; < 5.3.4 Patched version: 5.3.4 From: ? → npm/vuepress@1.9.7 → npm/webpack-dev-middleware@3.7.3 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/webpack-dev-middleware@3.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm ws affected by a DoS when handling a request with many HTTP headers CVE: GHSA-3h5v-q93c-6h6q ws affected by a DoS when handling a request with many HTTP headers (HIGH) Affected versions: >= 2.1.0 < 5.2.4; >= 6.0.0 < 6.2.3; >= 7.0.0 < 7.5.10; >= 8.0.0 < 8.17.1 Patched version: 6.2.3 From: ? → npm/vuepress@1.9.7 → npm/ws@6.2.2 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ws@6.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Trivial package: npm @vue/babel-helper-vue-jsx-merge-props has 5 lines of code Location: Package overview From: ? → npm/vuepress@1.9.7 → npm/@vue/babel-helper-vue-jsx-merge-props@1.2.1 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@vue/babel-helper-vue-jsx-merge-props@1.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Trivial package: npm @vue/babel-helper-vue-transform-on has 8 lines of code Location: Package overview From: ? → npm/vuepress@1.9.7 → npm/@vue/babel-helper-vue-transform-on@1.0.2 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@vue/babel-helper-vue-transform-on@1.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 658 more rows in the dashboard

View full report

[sentry]

Bug: The yarn.lock file was not updated, so the old, vulnerable version of node-sass will be installed, and the security fix will not be applied.
_{Severity: MEDIUM}

Suggested Fix

Run yarn install or yarn upgrade node-sass locally to regenerate the yarn.lock file with the correct dependency version (^9.0.0) and commit the updated file. This will ensure the intended version is installed during builds.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: package.json#L17

Potential issue: The `package.json` file was updated to use `node-sass` version `^9.0.0`
to address a security vulnerability. However, the `yarn.lock` file was not updated and
still specifies version `^6.0.1`. When `yarn install` is run, it will prioritize the
lockfile and install the older, vulnerable version of `node-sass`. As a result, the
intended security fix will not be applied, and the project will remain exposed to the
vulnerability the pull request was meant to resolve.

_{Did we get this right? 👍 / 👎 to inform future reviews.}