vt-toggle icon indicating copy to clipboard operation
vt-toggle copied to clipboard
verified publisher icon victornpb

Bump node-sass from 6.0.1 to 9.0.0

Open dependabot[bot] opened this issue 2 years ago • 1 comments

Bumps node-sass from 6.0.1 to 9.0.0.

Release notes

Sourced from node-sass's releases.

v9.0.0

What's Changed

Breaking changes

Supported Environments

OS Architecture Node
Windows x86 & x64 16, 18, 19, 20
OSX x64 16, 18, 19, 20
Linux* x64 16, 18, 19, 20
Alpine Linux x64 16, 18, 19, 20

*Linux support refers to major distributions like Ubuntu, and Debian

v8.0.0

What's Changed

Breaking changes

Features

Dependencies

Misc

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependabot[bot] avatar May 22 '23 12:05 dependabot[bot]

New dependency changes detected. Learn more about Socket for GitHub ↗︎

🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

⚠️ Uses eval

Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Avoid packages that use eval, since this could potentially execute any code.

Package Eval Type Location Source
[email protected] (added) Function index.js package.json via [email protected]
⚠️ Dynamic require

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code.

Package Location Source
[email protected] (added) index.umd.js package.json via [email protected]
[email protected] (added) index.umd.js package.json via [email protected]
[email protected] (added) test/integration/test-forever.js package.json via [email protected]
[email protected] (added) test/integration/test-retry-operation.js package.json via [email protected]
[email protected] (added) test/integration/test-retry-wrap.js package.json via [email protected]
[email protected] (added) test/integration/test-timeouts.js package.json via [email protected]
[email protected] (upgraded) build/index.cjs package.json via [email protected]
[email protected] (upgraded) build/index.cjs package.json via [email protected]
⚠️ Obfuscated require

Package accesses dynamic properties of require and may be obfuscating code execution.

The package should not access dynamic properties of module. Instead use import or require directly.

Package Location Source
[email protected] (added) index.umd.js package.json via [email protected]
[email protected] (added) index.umd.js package.json via [email protected]
[email protected] (upgraded) build/index.cjs package.json via [email protected]
⚠️ Bidirectional unicode control characters

Source files contain bidirectional unicode control characters. This could indicate a Trojan source supply chain attack. See: trojansource.codes for more information.

Remove bidirectional unicode control characters, or clearly document what they are used for.

Package Location Source
[email protected] (added) encodings/sbcs-data-generated.js package.json via [email protected]
[email protected] (added) encodings/sbcs-data-generated.js package.json via [email protected]
[email protected] (added) encodings/sbcs-data-generated.js package.json via [email protected]
⚠️ Zero width unicode chars

Package files contain zero width unicode characters. This could indicate a supply chain attack.

Packages should remove unnecessary zero width unicode characters and use their visible counterparts.

Package Location Source
[email protected] (added) encodings/sbcs-data-generated.js package.json via [email protected]
⚠️ Suspicious strings

This package contains suspicious text patterns which are commonly associated with bad behavior

The package code should be reviewed before installing

Package Location Source
[email protected] (upgraded) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (upgraded) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (upgraded) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) dist/index.js package.json via [email protected]
@npmcli/[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (upgraded) lib/source-map-consumer.js package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (upgraded) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
@tootallnate/[email protected] (added) package.json package.json via [email protected]
@tootallnate/[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (upgraded) package.json package.json via [email protected]
[email protected] (added) src/browser.js package.json via [email protected]
[email protected] (upgraded) lib/source-map-generator.js package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (upgraded) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (upgraded) lib/mapping-list.js package.json via [email protected]
[email protected] (upgraded) lib/util.js package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (upgraded) lib/util.js package.json via [email protected]
[email protected] (upgraded) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
@npmcli/[email protected] (added) package.json package.json via [email protected]
[email protected] (upgraded) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
@gar/[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) minimatch.js package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) dist/index.js package.json via [email protected]
[email protected] (upgraded) package.json package.json via [email protected]
[email protected] (upgraded) scripts/install.js package.json
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
[email protected] (added) package.json package.json via [email protected]
⚠️ Trivial Package

Packages less than 10 lines of code are easily copied into your own project and may not warrant the additional supply chain risk of an external dependency.

Removing this package as a dependency and implementing its logic will reduce supply chain risk.

Package Location Source
[email protected] (added) index.js package.json via [email protected]
[email protected] (added) index.js package.json via [email protected]
[email protected] (added) lib/index.js package.json via [email protected]
[email protected] (added) lib/index.js package.json via [email protected]
Pull request alert summary
Issue Status
Critical CVE ✅ 0 issues
Install scripts ✅ 0 issues
Native code ✅ 0 issues
Bin script confusion ✅ 0 issues
Bin script shell injection ✅ 0 issues
High entropy strings ✅ 0 issues
Uses eval ⚠️ 1 issue
Dynamic require ⚠️ 8 issues
Unresolved require ✅ 0 issues
Obfuscated require ⚠️ 3 issues
Obfuscated code ✅ 0 issues
Bidirectional unicode control characters ⚠️ 3 issues
Zero width unicode chars ⚠️ 1 issue
Invisible chars ✅ 0 issues
Suspicious strings ⚠️ 56 issues
Invalid package.json ✅ 0 issues
HTTP dependency ✅ 0 issues
Git dependency ✅ 0 issues
Trivial Package ⚠️ 4 issues
Non-existent author ✅ 0 issues
Unpublished package ✅ 0 issues
Potential typo squat ✅ 0 issues
Known Malware ✅ 0 issues
Telemetry ✅ 0 issues
Protestware/Troll package ✅ 0 issues
AI detected security risk ✅ 0 issues
AI warning ✅ 0 issues

📊 Modified Dependency Overview:

⬆️ Updated Package Version Diff Added Capability Access +/- Transitive Count Publisher
[email protected] 6.0.1...9.0.0 network +85/-86 xzyfer

socket-security[bot] avatar May 22 '23 12:05 socket-security[bot]