Sass security alert

If your website uses Sass, take note of this advisory.

2022-12-16

Latest commit: 3354e2e3, 2022-12-24
180 words • Reading time: 1 minute

On December 10 — although I personally learned of it only today — the blog for Sass published an article entitled “Security Alert: Tar Permissions.” If your website uses Sass for styling purposes, and particularly if you install it on your dev machine with .tar.gz files from Sass’s GitHub repo (perhaps using methods such as I’ve described here in the past), you should read the article and observe its recommended protections against a newly discovered vulnerability.

The article describes who is affected and explains:

We strongly recommend that users in these vulnerable groups delete and re-install Sass. All the .tar.gz files on GitHub have been scrubbed to remove the vulnerability, so you can reinstall the same version you were previously using without needing to upgrade to the latest version.

This is a privilege-escalation issue, which means it could allow a hypothetical attacker with access to a low-privilege account on your computer to escalate their access to your account’s privileges. However, this also means that it’s not a risk unless an attacker already has access to an account on your machine.

Next: Things worth watching in the Astro and Eleventy pipelines

Previous: Hugo-like archetypes in other SSGs, take two