node-sass vulnerability and npm audit

Question

I have projects to maintain that use node-sass npm module.

Since node 10.x, there is a tool (called npm audit) that is run every time we do a npm install. This seems to be a good tool for preventing vulnerability issues.

My problem is that the node-sass module has vulnerabilities. I saw that the maintainers of the project do not want to fix the issues with bad reasons. https://github.com/sass/node-sass/issues/2262

People maintaining popular module like node-sass should correct as soon as possible the vulnerability issues, but unfortunately they don't.

I am not an expert in Security, so I prefer to rely on what indicates npm and not use anymore dependencies that print messages that let you think your software is crap.

But I like so much SASS for coding CSS that I would like to give it a chance to keep it. Any idea for removing these vulnerability messages while keeping the project safe and not reducing developer experience ?

Answer 1

This security issue is mainly irrelevant to node-sass since it never sees any exposure to your live code.

node-sass runs on hosts normally used for development and usually are not visible in a public network.

You normally will use node-sass to pre-compile SCSS into CSS and vulnerabilities will not impact the resulting CSS code.

These warnings are relevant if you run the node.js server as a backend which is normally not the case. (or never the case)

Answer 2

One option is to use dart-sass. It has no vulnerability issues.

https://sass-lang.com/dart-sass

https://github.com/webpack-contrib/sass-loader