Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security vulnerability in eslint < 4.18.2 #1288

Open
markgoho opened this issue Jun 21, 2019 · 10 comments
Open

Security vulnerability in eslint < 4.18.2 #1288

markgoho opened this issue Jun 21, 2019 · 10 comments

Comments

@markgoho
Copy link

Security vulnerability warning from Github today. This would be a major update to sass-lint's dependencies. I'm not sure how the repo owner would like to proceed.

@anthonydillon
Copy link

Isn't eslint a dev dependency? Why is that appearing in the dep tree when installing sass-lint in other projects?

@Jelle-S
Copy link

Jelle-S commented Jul 15, 2019

@anthonydillon It is in develop, so it seems, but not in the latest stable release: https://github.com/sasstools/sass-lint/blob/v1.13.1/package.json#L32

@anthonydillon
Copy link

@Jelle-S thanks, is there a plan to do a release soon?

@Jelle-S
Copy link

Jelle-S commented Jul 15, 2019

I have no idea, since I'm not a maintainer of this project ;)

Tagging the most active contributors:
@DanPurdy @bgriffith

@pehbehbeh
Copy link

globule is also affected:

$ yarn audit
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.12                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sass-lint                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sass-lint > eslint > inquirer > lodash                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1065                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.12                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sass-lint                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sass-lint > eslint > lodash                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1065                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.12                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sass-lint                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sass-lint > eslint > table > lodash                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1065                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.12                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sass-lint                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sass-lint > globule > lodash                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1065                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
4 vulnerabilities found - Packages audited: 15866
Severity: 4 High

@o-mdr
Copy link

o-mdr commented Aug 28, 2019

Hey guys, will it be possible to get the lib updated? Thank you :)

@damienwebdev
Copy link

damienwebdev commented Sep 10, 2019

@srowhani @DanPurdy Can we get one of you to take a look at this?

I think, if there's no breaking changes, backporting the latest eslint into stable as v1.13.2. While the attack surface for this vulnerability is minor, no one likes warnings. Or, as another has already mentioned, if this is actually a devDependency, remove it from dependencies.

Additionally, given what I see occurred with v1.13.0, can we open another issue to actually indicate who the current maintainers of this repo are in the README?

@DanPurdy
Copy link
Member

hi all unfortunately eslint in v1 is a dependency due to sass-lint directly using its formatters. A major update for them 'could' be a major update for sass-lint and iirc there were issues around it when tested but it has been a while...

Unfortunately this project has been pretty much dead for 2 years (since October 2017) bar the unfortunate broken release, the work in the develop branch is as yet unfinished v2 which removes this need for eslint but its not near a ready state to be released and there's as yet no plans to finish it i'm afraid.

@YodasWs
Copy link

YodasWs commented Jun 9, 2021

hi all unfortunately eslint in v1 is a dependency due to sass-lint directly using its formatters.

This would explain #1324

@weex
Copy link

weex commented Nov 30, 2021

Came here due to GitHub's security alert on merge. Is there a community-driven fork of sass-lint that people would recommend going forward?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants