This repository has been archived by the owner on Jul 24, 2024. It is now read-only.
[Security] new node-gyp version available to patch security vulnerability #2636
Comments
|
Thank you. We're aware of the update and are considering our options. |
|
They bumped tar and loosen up node constraints 2 days ago. I think now you can update :). Please take a look here: nodejs/node-gyp#1714 (comment) |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Since the #2625 discussion got locked I had to open a new thread, but just wanted to note that a few hours ago node-gyp v4.0.0 was released which patches the security vulnerability with the tar package.
nodejs/node-gyp#1718 (comment)
The major version bump is because node-gyp v4 drops support for any Node.js version lower than 6. This sounds like a big change since node-sass currently supports Node.js 0.10 and higher.
However...
I noticed that the currently used version of node-gyp (v3.8) only officially supports Node.js 4 and higher, so perhaps the Node version restriction is irrelevant for node-sass's use case, and it could be released as a minor or patch version bump.
The text was updated successfully, but these errors were encountered: