Update dependency node-sass to v7 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
node-sass	4.12.0 → 7.0.0

---

Denial of Service in node-sass

GHSA-9v62-24cr-58cx

More information

Details

Affected versions of node-sass are vulnerable to Denial of Service (DoS). Crafted objects passed to the renderSync function may trigger C++ assertions in CustomImporterBridge::get_importer_entry and CustomImporterBridge::post_process_return_value that crash the Node process. This may allow attackers to crash the system's running Node process and lead to Denial of Service.

Recommendation

Upgrade to version 4.13.1 or later

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://www.npmjs.com/advisories/961
• https://github.com/sass/node-sass/commit/338fd7a14d3b8bd374a382336df16f9c6792b884
• https://github.com/advisories/GHSA-9v62-24cr-58cx

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Improper Certificate Validation in node-sass

CVE-2020-24025 / GHSA-r8f7-9pfq-mjmv

More information

Details

Certificate validation in node-sass 2.0.0 to 6.0.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-24025
• https://github.com/sass/node-sass/pull/567#issuecomment-656609236
• https://github.com/sass/node-sass/issues/3067
• https://github.com/sass/node-sass/pull/3149
• https://github.com/sass/node-sass/releases/tag/v7.0.0
• https://github.com/sass/node-sass/commit/0a21792803639851b480fbd8cbcb5540ef974387
• https://github.com/advisories/GHSA-r8f7-9pfq-mjmv

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

sass/node-sass (node-sass)

v7.0.0

Compare Source

Breaking changes

• Drop support for Node 15 (@​nschonni)
• Set rejectUnauthorized to true by default (@​scott-ut, #​3149)

Features

• Add support for Node 17 (@​nschonni)

Dependencies

• Bump eslint from 7.32.0 to 8.0.0 (@​nschonni, #​3191)
• Bump fs-extra from 0.30.0 to 10.0.0 (@​nschonni, #​3102)
• Bump npmlog from 4.1.2 to 5.0.0 (@​nschonni, #​3156)
• Bump chalk from 1.1.3 to 4.1.2 (@​nschonni, #​3161)

Community

• Remove double word "support" from documentation (@​pzrq, #​3159)

Misc

• Bump various GitHub Actions dependencies (@​nschonni)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	12, 14, 16, 17
OSX	x64	12, 14, 16, 17
Linux*	x64	12, 14, 16, 17
Alpine Linux	x64	12, 14, 16, 17
FreeBSD	i386 amd64	12, 14

*Linux support refers to major distributions like Ubuntu, and Debian

v6.0.1

Compare Source

Dependencies

• Remove mkdirp (@​jimmywarting, #​3108)
• Bump meow to 9.0.0 (@​ykolbin, #​3125)
• Bump mocha to 9.0.1 (@​xzyfer, #​3134)

Misc

• Use default Apline version from docker-node (@​nschonni, #​3121)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	12, 14, 15, 16
OSX	x64	12, 14, 15, 16
Linux*	x64	12, 14, 15, 16
Alpine Linux	x64	12, 14, 15, 16
FreeBSD	i386 amd64	12, 14, 15

*Linux support refers to major distributions like Ubuntu, and Debian

v6.0.0

Compare Source

Breaking changes

• Drop support for Node 10 (@​nschonni)
• Remove deprecated process.sass API (@​xzyfer, #​2986)

Features

• Add support for Node 16

Community

• Fix typos in Troubleshooting guide (@​independencyinjection, #​3051)
• Improve dependabot configuration (@​nschonni)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	12, 14, 15, 16
OSX	x64	12, 14, 15, 16
Linux*	x64	12, 14, 15, 16
Alpine Linux	x64	12, 14, 15, 16
FreeBSD	i386 amd64	12, 14, 15

*Linux support refers to major distributions like Ubuntu, and Debian

v5.0.0

Compare Source

Breaking changes

• Only support LTS and current Node versions (@​nschonni)
• Remove deprecated process.sass API (@​xzyfer, #​2986)

Features

• Add support for Node 15
• New node-gyp version that supports building with Python 3

Community

• More inclusive documentation (@​rgeerts, #​2944)
• Enabled dependabot (@​nschonni)
• Improve release automation (@​nschonni)

Fixes

• Bumped many dependencies (@​nschonni)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	10, 12, 14, 15
OSX	x64	10, 12, 14, 15
Linux*	x64	10, 12, 14, 15
Alpine Linux	x64	10, 12, 14, 15
FreeBSD	i386 amd64	10, 12, 14, 15

*Linux support refers to major distributions like Ubuntu, and Debian

v4.14.1

Compare Source

Community

• Add GitHub Actions for Alpine CI (@​nschonni, #​2823)

Fixes

• Bump sass-graph@​2.2.5 (@​xzyfer, #​2912)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
OSX	x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
Linux*	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8**, 9**, 10**^, 11**^, 12**^, 13**^, 14**^
Alpine Linux	x64	6, 8, 10, 11, 12, 13, 14
FreeBSD	i386 amd64	10, 12, 13

*Linux support refers to Ubuntu, Debian, and CentOS 5+
** Not available on CentOS 5
^ Only available on x64

v4.14.0

Compare Source

https://github.com/sass/node-sass/releases/tag/v4.14.0

v4.13.1

Compare Source

https://github.com/sass/node-sass/releases/tag/v4.13.1

v4.13.0

Compare Source

https://github.com/sass/node-sass/releases/tag/v4.13.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.