Whitesource scan detected security vulnerability in Libsass < 3.5.5

[joginds4]

Hi Node-Sass team,

Whitesource (Opensource) scan detected security vulnerability on Libsass < 3.5.5 which is being pushed by node-sass v4.12.0. Here are the details:

• NPM version (npm -v): 5.6.0
• Node version (node -v): 8.9.4
• Node Process (node -p process.versions):{ http_parser: '2.7.0', node: '8.9.4', v8: '6.1.534.50',
  uv: '1.15.0', zlib: '1.2.11', ares: '1.10.1-DEV', modules: '57', nghttp2: '1.25.0', openssl: '1.0.2n', icu: '59.1', unicode: '9.0', cldr: '31.0.1', tz: '2017b' }
• Node Platform (node -p process.platform): win32 (dev), linux (prod)
• Node architecture (node -p process.arch): x64
• node-sass version (node -p "require('node-sass').info"):
  node-sass 4.12.0 (Wrapper) [JavaScript]
  libsass 3.5.4 (Sass Compiler) [C/C++]
• npm node-sass versions (npm ls node-sass): -- [email protected]

### Vulnerability details:

Name: CVE-2018-11499
Description: A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.
Publish date: 2018-05-26
URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11499

Can anyone plz resolve this issue and publish is new node-sass version containing upgraded package of Libsass i.e. greater than or equals to 3.5.5.?

Regards,
Joginder

[danielgefen]

Whitesource recommended upgrading LibSass to 3.6.0 due the following vulnerabilities that were fixed:
sass/libsass#2656
sass/libsass#2781
sass/libsass#2658
sass/libsass#2643
sass/libsass#2786

Could you please update node-sass and support LibSass 3.6.0?

[nschonni]

Bumping it is already tracked in #2685