I have an app created with Vue-Cli and it uses node-sass. Recently, I ran npm audit and is informing me there is a new advisory for node-sass with the following info:
All versions of node-sass are vulnerable to Denial of Service (DoS).
No fix is currently available. Consider using an alternative package
until a fix is made available.
Thus, I can't deploy my app to the company's enterprise cloud (DevOps pipeline).
Does anyone know how I can fix or replace node-sass with dart-sass and whether there are any specific updates or changes I need to do with my app?
Kinda shooting in the dark here...not much out there at the moment. Thanks.
This worked for me, follow the link below
https://www.priestch.com/replace-node-sass-with-dart-sass-in-vue-cli3-based-project/
Thanks
Related
I want to look at upgrading NPM on a project I'm working on from 5.8.0 to the latest version.
Is this something that is safe to do without breaking any packages i have installed? And if there's a chance it might, what is the best method for testing those packages to make sure everything is running correctly still?
Updating NPM is unlikely to break anything. However your packages may require a certain version of Node.js to function properly.
There also isn't really a "best method" to check if everything runs correctly. Ill refer you to this answer which has a few options you can try.
I am using node-sass 4.13.1 which wraps libsass 3.5.4.
Due to security reasons we need to update libsass to 3.6.0 without downgrading the node-sass version.
How can this be achieved. Specifying the libsass version in the package.json is not feasible since libsass is not a dependency but rather a wrapped library.
Is it possible to force the use of libsass 3.6.0 after all dependencies for the repo have been installed?
Does anybody know a better solution?
I am leaning towards looking into how i can edit the scripts part of the package.json file to run a pre-install script which will force the version. Is that a good idea?
Thanks
There are forked versions of node-sass that do have 3.6.x in them, as well as a branch within the main project repo. The problem is that you will have to build it yourself in order to use them.
https://github.com/ItsLeeOwen/node-sass/tree/libsass-2b8a17a
or
https://github.com/sass/node-sass/tree/libsass-3.6.1
for example.
There is a branch available in node-sass repository which uses LibSass v3.6.3 with node-sass v4.13.1
I also faced the same issue and after doing a lot of research, the below solution worked for me:
Try installing the branch of node-sass from the github repository by using the below command (the package is already built, so you don't have to build it explicitly)
npm install https://github.com/sass/node-sass.git#v5
I am working on a project with dotnet core, in Linux and it is using MVC.
I am reading a book for learning how to put things together. The book advises installing Bower. But the last time I researched bower I believe they were advising towards using something else for new projects.
I would like to know what alternative I can use for front end management. I need to be able to use Bootstrap, Jquery, Popper and Datatables on my page. And of course, I should be able to use it in Linux.
Thanks for the help francium. NPM is working just fine.It is in the official Ubuntu repository. You have to install popper the following way though: npm install popper.js --save
If you don't specify the .js extension it will give you a warning saying that bootstrap requires a popper installation but it was not installed. You also have to install git on your machine to make it work. I did not do it the first time I ran it and it gave me an error asking me if it was installed. Thanks for the suggestion, It was relatively easy to do get things working.
Yarn is now the alternative to Bower, but to install Yarn you need to use NPM
this question might seem stupid but I'm looking for a solution to this scenario:
Let's say I'm starting a new project at an offline environment and I have some npm packages installed globally on my laptop and I'd like to use them for a new project I just created.
For example: I've used npm i -g create-react-app and now I'd like to use create-react-app to make a new react app but I'm currently offline.
I've tried to follow an "offline npm" solution where I basically create an npm server on my computer but I didn't manage to make it work, and am not sure if this will give me the solution I'm looking for.
Sorry if this was answered before, I couldn't find a solution.
Thanks in advance!
You can try run
create-react-app youproject
when you are offline. For me, this sometimes work, sometimes not.
Other solution is install offline all packages, defined in package.json file. You can do this, if you have this packages installed in online mode.
So you can try install this packages, using:
npm link packagename
or
npm i './path_to_package_in_user_directory' // yes, you can also install packages from folder
This solution is also ok, when you try add new packages to existing project. Sometimes this causes error and you need reinstall all packages (that's big pain), but most of all, works good.
I have projects to maintain that use node-sass npm module.
Since node 10.x, there is a tool (called npm audit) that is run every time we do a npm install. This seems to be a good tool for preventing vulnerability issues.
My problem is that the node-sass module has vulnerabilities. I saw that the maintainers of the project do not want to fix the issues with bad reasons.
https://github.com/sass/node-sass/issues/2262
People maintaining popular module like node-sass should correct as soon as possible the vulnerability issues, but unfortunately they don't.
I am not an expert in Security, so I prefer to rely on what indicates npm and not use anymore dependencies that print messages that let you think your software is crap.
But I like so much SASS for coding CSS that I would like to give it a chance to keep it.
Any idea for removing these vulnerability messages while keeping the project safe and not reducing developer experience ?
This security issue is mainly irrelevant to node-sass since it never sees any exposure to your live code.
node-sass runs on hosts normally used for development and usually are not visible in a public network.
You normally will use node-sass to pre-compile SCSS into CSS and vulnerabilities will not impact the resulting CSS code.
These warnings are relevant if you run the node.js server as a backend which is normally not the case. (or never the case)
One option is to use dart-sass. It has no vulnerability issues.
https://sass-lang.com/dart-sass
https://github.com/webpack-contrib/sass-loader