sass/node-sass

Git-Dependabot Alert - Child dependency version to be upgraded

Balaji-CDE opened this issue · 0 comments

Balaji-CDE commented
  • NPM version (npm -v): 6.14.12
  • Node version (node -v): 14.16.1
  • Node Process (node -p process.versions): {
    node: '14.16.1',
    v8: '8.4.371.19-node.18',
    uv: '1.40.0',
    zlib: '1.2.11',
    brotli: '1.0.9',
    ares: '1.16.1',
    modules: '83',
    nghttp2: '1.41.0',
    napi: '7',
    llhttp: '2.1.3',
    openssl: '1.1.1k',
    cldr: '37.0',
    icu: '67.1',
    tz: '2020a',
    unicode: '13.0'
    }
  • Node Platform (node -p process.platform): darwin
  • Node architecture (node -p process.arch): x64
  • node-sass version (node -p "require('node-sass').info"): node-sass 8.0.0 (Wrapper) [JavaScript]
  • npm node-sass versions (npm ls node-sass): node-sass@8.0.0

The latest version of node-sass uses make-fetch-happen of version ^10.0.4, which has a child dependency "http-cache-semantics": "^4.1.0" whereas http-cache-semantics(4.1.0) has security vulnerabilities and is treated as a dependabot alert in our application.

Screenshot 2023-02-08 at 11 22 59 AM

So can you upgrade the version of make-fetch-happen to 11.0.3 in node-sass which will address all the security vulnerabilities.