Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-23382 issue in the 2.3 release and earlier #11050

Closed
1 of 3 tasks
keithchong opened this issue Oct 24, 2022 · 2 comments
Closed
1 of 3 tasks

CVE-2021-23382 issue in the 2.3 release and earlier #11050

keithchong opened this issue Oct 24, 2022 · 2 comments
Labels
bug Something isn't working

Comments

@keithchong
Copy link
Contributor

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

Describe the bug

See sasstools/scss-tokenizer#45
https://security.snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884

In release-2.3, Argo CD includes node-sass which depends on sass-graph which depends on scss-tokenizer. The version of scss-tokenizer that includes the fix is v0.4.3

Note that in release-2.4, the node-sass dependency was changed to sass via #8884

Version

release-2.3 and earlier

Steps:

Just look at the yarn.lock for nodes-sass, sass-graph, and scss-tokenizer.
@keithchong keithchong added the bug Something isn't working label Oct 24, 2022
@keithchong
Copy link
Contributor Author

OTOH, it's a dev dependency

@blakepettersson
Copy link
Member

Don't think this one's so relevant anymore 😄

@blakepettersson blakepettersson closed this as not planned Won't fix, can't repro, duplicate, stale Sep 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@blakepettersson @keithchong