SNYK vulnerability found in resources.data.gov

[FuhuXia]

Please keep any sensitive details in Google Drive.

Date of report: 08/17/2020
Severity: High
Due date: 09/17/2020

Due date is based on severity and described in RA-5. 15-days for Critical, 30-days for High, and 90-days for Moderate and lower.

• Analysis has been performed and an issue has been linked to address other occurrences for this class of vulnerability* (link)

* When a finding is identified, we create two issues. One to address the specific instance identified in the report. The other is to identify and address all other occurrences of this vulnerability within the application.

Brief description

Google Doc

[chris-macdermaid]

The vulnerability is caused by node-sass requiring an old version (2.25) of sass-graph which requires version 4.17.19 of lodash. According to sass/node-sass#2863, it should be resolved in version 5 but there is no date for version 5 to be released.
There is a package that potentially fixes the issue, but don't think it would stop the vulnerability from continuing to be reported.
https://www.npmjs.com/package/no-pollution

[chris-macdermaid]

Updated to lodash to version 4.17.20 by removing concurrently, gulp-sass, and lodash. Then installed concurrently followed by gulp-sass.

GSA/resources.data.gov#241