Bump node-sass to address LibSass vulnerabilities

There are a few known security vulnerabilities related to the version of node-sass used in the repo. Both node-sass and LibSass are deprecated, but replacing node-sass with dart-sass fails because EUI does not follow the standard Sass spec. This results in a SassError: `Top-level selectors may not contain the parent selector "&"`. Resolving this problem will have to be done in the long-term, but for now there are branches of node-sass that exist with a newer version of LibSass that does not contain any known security vulnerabilities. Unfortunately, these changes don't exist in any of the main releases, so we must use a specific branch (v5). Details are on the main Sass website: https://sass-lang.com/blog/libsass-is-deprecated Signed-off-by: Tommy Markley <[email protected]>
opensearch-project · Jun 23, 2021 · 8c0d430 · 8c0d430
1 parent d870129
commit 8c0d430
Show file tree

Hide file tree

Showing 3 changed files with 166 additions and 236 deletions.
diff --git a/packages/osd-optimizer/package.json b/packages/osd-optimizer/package.json
@@ -33,14 +33,13 @@
     "json-stable-stringify": "^1.0.1",
     "lmdb-store": "^0.6.10",
     "loader-utils": "^1.2.3",
-    "node-sass": "^4.13.1",
+    "node-sass": "sass/node-sass#v5",
     "normalize-path": "^3.0.0",
     "pirates": "^4.0.1",
     "postcss": "^8.2.10",
     "postcss-loader": "^3.0.0",
     "raw-loader": "^3.1.0",
     "rxjs": "^6.5.5",
-    "js-yaml": "^3.14.0",
     "sass-loader": "^8.0.2",
     "source-map-support": "^0.5.19",
     "style-loader": "^1.1.3",

diff --git a/packages/osd-ui-framework/package.json b/packages/osd-ui-framework/package.json
@@ -53,7 +53,7 @@
     "jquery": "^3.5.0",
     "keymirror": "0.1.1",
     "moment": "^2.24.0",
-    "node-sass": "^4.13.1",
+    "node-sass": "sass/node-sass#v5",
     "postcss": "^8.2.10",
     "postcss-loader": "^3.0.0",
     "raw-loader": "^3.1.0",