Security vulnerability CVE-2021-23362

[jayp112]

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js.

node-sass@5.0.0 has the following dependency chain. node-sass@5.0.0 -> meow@3.7.0 -> normalize-package-data@2.5.0 -> hosted-git-info@2.8.8.

Can you please upgrade meow to v8.0.0+? That should pick up the version of hosted-git-info that addresses this CVE.

[nschonni]

You may have something you need to address in your local lock file, as we don't have a pinned version.
Running locally

$ npm i
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated har-validator@5.1.5: this library is no longer supported

> node-sass@5.1.0 install Z:\node-sass
> node scripts/install.js

node-sass build Binary found at Z:\node-sass\vendor\win32-x64-83\binding.node

> node-sass@5.1.0 postinstall Z:\node-sass
> node scripts/build.js

Binary found at Z:\node-sass\vendor\win32-x64-83\binding.node
Testing binary
Binary is fine
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@~2.3.1 (node_modules\chokidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

added 467 packages from 236 contributors and audited 473 packages in 16.137s

43 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

Not to say upgrading it isn't a good idea, but upgrading it requires changing code #3058 and there isn't an issue directly here

[MrMorice]

Hey @nschonni! Thanks for checking. Seems to be also fixed in hosted-git-info@2.8.9, which will install after a clean npm i. Best, Moritz

[arderyp]

I am confused here. I am running the latest LTS node (v14.16.1). As far as I can tell, the latest node-sass compatible with this is 4.14.1. Are you saying we need to use node-sass version 5.0.0 on a later, non-LTS version of node to resolve this issue? I'd appreciate if you could help clarify @MrMorice / @nschonni

[arderyp]

to clarify @nschonni, when I try to compile using node-sass 5.0.0 with the latest LTS node v14.6.1, it fails with: Error: Node Sass version 5.0.0 is incompatible with ^4.0.0.

[lcoq]

Hi,

I encounter the same problem, and I don't really understand what you are saying @nschonni :

You may have something you need to address in your local lock file, as we don't have a pinned version.

From what I see, latest node-sass package (5.0.0) requires meow ^3.7.0, which indeed has security issues through dependency chain :

Moderate Regular Expression Deinal of Service
Package hosted-git-info
Patched in >=3.0.8
Dependency of node-sass
Path node-sass > meow > normalize-package-data > hosted-git-info

Moderate Regular Expression Deinal of Service
Package hosted-git-info
Patched in >=3.0.8
Dependency of node-sass
Path node-sass > meow > read-pkg-up > read-pkg > normalize-package-data > hosted-git-info

Am I missing something ? How can we fix this security issue ?

Also, in your comment code there seems to be references to node-sass@5.1.0, not sure where did you get that.. ?

Thanks

[lcoq]

This issue has been fixed in hosted-git-info@2.8.9 : npm/hosted-git-info#85