Remove vulnerability #114
Comments
Manually removed vulnerability by upgrading 'tar' package from 2.2.1 to 4.4.8 (https://stackoverflow.com/questions/55635378/angular-devkit-build-angular-arbitrary-file-overwrite). angular-devkit and node-sass issues are still open. (angular/angular-cli#14138, sass/node-sass#2625). Will permanently be fixed once above 2 issues are addressed by Angular and node-sass teams.
|
Manually removed vulnerability by upgrading 'tar' package from 2.2.1 to 4.4.8 (https://stackoverflow.com/questions/55635378/angular-devkit-build-angular-arbitrary-file-overwrite). angular-devkit and node-sass issues are still open. (angular/angular-cli#14138, sass/node-sass#2625). Will permanently be fixed once above 2 issues are addressed by Angular and node-sass teams. |
|
Removed manual fix, waiting for official fixes from node-sass and angular teams. |
|
We are still waiting for node-sass and angular-cli to remove these vulnerabilities from their end. Node-sass is using older version of node-gyp which is using tar version 2. Node-sass is taking time to upgrade due to backward compatibility. Angular-cli is using node-sass and also waiting for them to remove the vulnerability. So, both vulnerabilities will be removed when node-sass upgrades node-gyp. We are keeping track of these issues and will fix RTL as soon as angular-cli and node-sass will be fixed. Initially, we fixed the issue manually but after doing some more research, we were confident that these vulnerabilities will not effect RTL users adversely and decided to remove manual intervention from npm dependencies. In short, the vulnerability will be removed from node-sass and it is safe to use RTL with this vulnerability. |
|
Fixed. |
Remove node-sass vulnerability
The text was updated successfully, but these errors were encountered: