Skip to content

Vulnerability in dependency #563

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
damiarita opened this issue Apr 13, 2019 · 7 comments
Closed

Vulnerability in dependency #563

damiarita opened this issue Apr 13, 2019 · 7 comments

Comments

@damiarita
Copy link

damiarita commented Apr 13, 2019
edited
Loading

Hi,

Recently, the vulnerability https://nodesecurity.io/advisories/803 appeared

I use webpack encore and enableSassLoader() this forces me to add node-sass which as this dependency chain: node-sass > node-gyp > tar

This is my yarn edit result
$ yarn audit
yarn audit v1.13.0

│ high │ Arbitrary File Overwrite │

│ Package │ tar │

│ Patched in │ >=4.4.2 │

│ Dependency of │ node-sass │

│ Path │ node-sass > node-gyp > tar │

│ More info │ https://nodesecurity.io/advisories/803

1 vulnerabilities found - Packages audited: 12330
Severity: 1 High
Done in 2.21s.

This is my result of yarn why tar
$ yarn why tar
yarn why v1.13.0
[1/4] Why do we have the module "tar"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "tar@2.2.1"
info Reasons this module exists

  • "node-sass#node-gyp" depends on it
  • Hoisted from "node-sass#node-gyp#tar"
    => Found "node-pre-gyp#tar@4.4.8"
    info This module exists because "@symfony#webpack-encore#webpack-dev-server#chokidar#fsevents#node-pre-gyp" depends on it.
    Done in 1.41s.

Is it possible to have sass-loader use a more modern tar version?
@Lyrkan
Copy link
Collaborator

Lyrkan commented Apr 13, 2019

Hi @damiarita,

Not much we can do on our side... and no "proper" solution is available yet.

The following PR could solve the issue if merged/released: nodejs/node-gyp#1718
I suggest you to read the following thread for workarounds in the meantime: sass/node-sass#2625

Another solution could be to use Dart Sass instead of Node Sass (since the sass-loader allows you to switch quite easily):

# Remove node-sass and replace it by sass
$ yarn remove node-sass
$ yarn add --dev sass
// webpack.config.js
const Encore = require('@symfony/webpack-encore');

Encore.enableSassLoader(options => {
  // The following line won't be needed anymore when
  // the next version of sass-loader is released
  options.implementation = require('sass');
});

@Lyrkan Lyrkan closed this as completed Apr 13, 2019
@damiarita
Copy link
Author

Hi,

I followed the steps. But I get the same issue as in #422

This is the error:
Error: Install node-sass to use enableSassLoader()
yarn add node-sass --dev

I have tried both require('sass'); and require('dart-sass');

@Lyrkan
Copy link
Collaborator

Lyrkan commented Apr 14, 2019

@damiarita You may be using an old version of Encore, support for Dart Sass was added in 0.24.0.

@sotayamashita sotayamashita mentioned this issue Apr 15, 2019
Closed
@geoff-maddock
Copy link

@damiarita did you get a resolution here? I tried using sass as described here, even with webpack-encore 0.27.0, but it still says Error: Install node-sass to use enableSassLoader()

@Kocal
Copy link
Member

Kocal commented Jun 20, 2019

I think the best option is to drop node-sass for sass:

Encore.enableSassLoader(options => {
    options.implementation = require('sass');
})

@geoff-maddock
Copy link

Odd, I still get the error even after changing it. Seems like it's a dependency of encore still

@Lyrkan
Copy link
Collaborator

Lyrkan commented Jun 20, 2019

@geoff-maddock Could you share a repro?

I just tested it and it seems to work fine for a minimal setup:

// webpack.config.js
const Encore = require('@symfony/webpack-encore');

Encore
    .disableSingleRuntimeChunk()
    .setOutputPath('build')
    .setPublicPath('/build')
    .enableSassLoader(options => {
        options.implementation = require('sass');
    })
    .addEntry('scss', './style.scss')
;

module.exports = Encore.getWebpackConfig();
$ yarn add @symfony/webpack-encore sass-loader sass
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved 563 new dependencies.
info Direct dependencies
├─ @symfony/webpack-encore@0.27.0
├─ sass-loader@7.1.0
└─ sass@1.21.0

$ yarn encore production
yarn run v1.13.0

 DONE  Compiled successfully in 823ms

 I  2 files written to build
Entrypoint scss = scss.css scss.js

$ yarn audit
yarn audit v1.13.0
0 vulnerabilities found - Packages audited: 13442

Also there isn't any vulnerability issue anymore with node-sass either:

$ yarn remove sass
yarn remove v1.13.0
[1/2] Removing module sass...
[2/2] Regenerating lockfile and installing missing dependencies...
success Uninstalled packages.

$ yarn add node-sass
yarn add v1.13.0
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved 72 new dependencies.
info Direct dependencies
└─ node-sass@4.12.0

$ yarn audit
yarn audit v1.13.0
0 vulnerabilities found - Packages audited: 11854

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@geoff-maddock @Lyrkan @Kocal @damiarita