Security issue in node-sass

[netsensei]

Github currently flags a vulnerability in a dependency in package-lock.json: hapijs/hoek@2.6.13 is vulnerable per the CVE.

Detailed description

hapijs/hoek is a low-level dependency of the node-sass library via request package. We use node-sass in the front-end workflow via (@symfony/webpack-encore).

node-sass 0.4.9 has a dependency tree which loads the vulnerable package. The maintainers of node-sass need to upgrade their dependencies in order to get the patched versions of their dependencies in order to fix this.

The problem is that this is a no go per sass/node-sass#2170 and sass/node-sass#2355. Upgrading the dependencies would break backward-compatibility with older versions of node that are still in use.

This will be fixed once node-sass 5 is released per sass/node-sass#2312.

Context

It's a devDependency which means that node-sass is only used when there's actual front-end development done in a sandbox environment. The compiled CSS is pre-packaged with (future) stable versions of the datahub. As such, users don't need to run npm install and fetch webpack, node-sass, encore,... and all their dependencies in order to run the datahub.

The other work around would be removing package-lock.json. But that would be bad practice. npm 5 generates the file by default, and it's intended to be committed.

Possible implementation

None.

Your environment

• node v10.1.0
• npm 5.6.0
• yarn 1.7.0

[netsensei]

This is fixed. Closing this issue.

The other work around would be removing package-lock.json. But that would be bad practice. npm 5 generates the file by default, and it's intended to be committed.

Removed this anyway since yarn 1.13.0 complains about "mixing package managers isn't a good idea". Instead of npm install, users need to run yarn install to get all their dependencies.