Dart Sass
| Upstream URL | Security Risk | Abandonment Risk |
|---|---|---|
| https://sass-lang.com/dart-sass/ | Medium | Very Low |
External contacts
The Sass team is reachable via their public GitHub issue tracker. Security policy is not defined.
Security posture
Any exploit in Dart Sass (including in the Dart language runtime, which has significant trust concerns itself) could allow a malicious update of Bulma to compromise a developer workstation. This is not a very likely attack method as it requires the discovery of a Dart Sass vulnerability, the ability to push to the Bulma repository, the ability to release a version to RubyGems, and for it to not be caught by anyone until after our monthly update cycle. Still, it is a security consideration for the MoR project.
Abandonment risk
Dart Sass is the reference implementation of the Sass language. It is very unlikely that it will be abandoned, and if it were, our CSS frameworks would likely be forced to respond by changing to an alternative language.
Versioning policy
Any update will be pulled in via bundle during our monthly updates.
There are already deprecation warnings when we build our bundles due to Font Awesome, so future updates will need to be measured against compatibility with our stack. We don't pin Dart Sass ourselves, relying on FA/Bulma, but we can always pin to a specific version if needed and if it does not affect our security posture.