Update dependency node-sass to v7 [SECURITY] #55

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

renovate wants to merge 1 commit into master from renovate/npm-node-sass-vulnerability

+1,133 −317

Contributor

renovate bot commented Jan 27, 2025 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
node-sass	`^4.9.0` → `^7.0.0`

GitHub Vulnerability Alerts

GHSA-9v62-24cr-58cx

Affected versions of node-sass are vulnerable to Denial of Service (DoS). Crafted objects passed to the renderSync function may trigger C++ assertions in CustomImporterBridge::get_importer_entry and CustomImporterBridge::post_process_return_value that crash the Node process. This may allow attackers to crash the system's running Node process and lead to Denial of Service.

Recommendation

Upgrade to version 4.13.1 or later

CVE-2020-24025

Certificate validation in node-sass 2.0.0 to 6.0.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.

Release Notes

sass/node-sass (node-sass)

`v7.0.0`

Breaking changes

Drop support for Node 15 (@nschonni)
Set rejectUnauthorized to true by default (@scott-ut, #3149)

Features

Add support for Node 17 (@nschonni)

Dependencies

Bump eslint from 7.32.0 to 8.0.0 (@nschonni, #3191)
Bump fs-extra from 0.30.0 to 10.0.0 (@nschonni, #3102)
Bump npmlog from 4.1.2 to 5.0.0 (@nschonni, #3156)
Bump chalk from 1.1.3 to 4.1.2 (@nschonni, #3161)

Community

Remove double word "support" from documentation (@pzrq, #3159)

Misc

Bump various GitHub Actions dependencies (@nschonni)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	12, 14, 16, 17
OSX	x64	12, 14, 16, 17
Linux*	x64	12, 14, 16, 17
Alpine Linux	x64	12, 14, 16, 17
FreeBSD	i386 amd64	12, 14

*Linux support refers to major distributions like Ubuntu, and Debian

`v6.0.1`

Dependencies

Remove mkdirp (@jimmywarting, #3108)
Bump meow to 9.0.0 (@ykolbin, #3125)
Bump mocha to 9.0.1 (@xzyfer, #3134)

Misc

Use default Apline version from docker-node (@nschonni, #3121)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	12, 14, 15, 16
OSX	x64	12, 14, 15, 16
Linux*	x64	12, 14, 15, 16
Alpine Linux	x64	12, 14, 15, 16
FreeBSD	i386 amd64	12, 14, 15

*Linux support refers to major distributions like Ubuntu, and Debian

`v6.0.0`

Breaking changes

Drop support for Node 10 (@nschonni)
Remove deprecated process.sass API (@xzyfer, #2986)

Features

Add support for Node 16

Community

Fix typos in Troubleshooting guide (@independencyinjection, #3051)
Improve dependabot configuration (@nschonni)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	12, 14, 15, 16
OSX	x64	12, 14, 15, 16
Linux*	x64	12, 14, 15, 16
Alpine Linux	x64	12, 14, 15, 16
FreeBSD	i386 amd64	12, 14, 15

*Linux support refers to major distributions like Ubuntu, and Debian

`v5.0.0`

Breaking changes

Only support LTS and current Node versions (@nschonni)
Remove deprecated process.sass API (@xzyfer, #2986)

Features

Add support for Node 15
New node-gyp version that supports building with Python 3

Community

More inclusive documentation (@rgeerts, #2944)
Enabled dependabot (@nschonni)
Improve release automation (@nschonni)

Fixes

Bumped many dependencies (@nschonni)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	10, 12, 14, 15
OSX	x64	10, 12, 14, 15
Linux*	x64	10, 12, 14, 15
Alpine Linux	x64	10, 12, 14, 15
FreeBSD	i386 amd64	10, 12, 14, 15

*Linux support refers to major distributions like Ubuntu, and Debian

`v4.14.1`

Community

Add GitHub Actions for Alpine CI (@nschonni, #2823)

Fixes

Bump sass-graph@2.2.5 (@xzyfer, #2912)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
OSX	x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
Linux*	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10^, 11^, 12^, 13^, 14**^
Alpine Linux	x64	6, 8, 10, 11, 12, 13, 14
FreeBSD	i386 amd64	10, 12, 13

*Linux support refers to Ubuntu, Debian, and CentOS 5+
** Not available on CentOS 5
^ Only available on x64

`v4.14.0`

https://github.com/sass/node-sass/releases/tag/v4.14.0

`v4.13.1`

https://github.com/sass/node-sass/releases/tag/v4.13.1

`v4.13.0`

https://github.com/sass/node-sass/releases/tag/v4.13.0

`v4.12.0`

https://github.com/sass/node-sass/releases/tag/v4.12.0

`v4.11.0`

https://github.com/sass/node-sass/releases/tag/v4.11.0

`v4.10.0`

https://github.com/sass/node-sass/releases/tag/v4.10.0

`v4.9.4`

https://github.com/sass/node-sass/releases/tag/v4.9.4

`v4.9.3`

https://github.com/sass/node-sass/releases/tag/v4.9.3

`v4.9.2`

https://github.com/sass/node-sass/releases/tag/v4.9.2

`v4.9.1`

https://github.com/sass/node-sass/releases/tag/v4.9.1

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

orca-security-us bot reviewed

View reviewed changes

orca-security-us bot left a comment

Orca Security Scan Summary

Status	Check	Issues by priority
Passed	Infrastructure as Code	0 0 0 0	View in Orca
Passed	Secrets	0 0 0 0	View in Orca
Passed	Vulnerabilities	0 0 0 0	View in Orca

renovate bot force-pushed the renovate/npm-node-sass-vulnerability branch from ea33fba to 6662825 Compare

August 14, 2025 16:13

orca-security-us bot reviewed

View reviewed changes

orca-security-us bot left a comment •

edited

Loading

Orca Security Scan Summary

Status	Check	Issues by priority
Passed	Infrastructure as Code	0 0 0 0	View in Orca
Passed	Secrets	0 0 0 0	View in Orca
Passed	Vulnerabilities	0 0 0 0	View in Orca

renovate bot force-pushed the renovate/npm-node-sass-vulnerability branch from 6662825 to 4c22807 Compare

September 26, 2025 07:46

renovate bot force-pushed the renovate/npm-node-sass-vulnerability branch from 4c22807 to 7f04e0e Compare

October 25, 2025 20:03

renovate bot force-pushed the renovate/npm-node-sass-vulnerability branch from 7f04e0e to f3ad197 Compare

November 15, 2025 16:15

renovate bot force-pushed the renovate/npm-node-sass-vulnerability branch from f3ad197 to 0f457fb Compare

December 5, 2025 11:13


          Update dependency node-sass to v7 [SECURITY]

8b072da

renovate bot force-pushed the renovate/npm-node-sass-vulnerability branch from 0f457fb to 8b072da Compare

January 19, 2026 23:28

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet