Update dependency sass to v1.69.5

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
sass	1.57.0 -> 1.69.5

---

Release Notes

sass/dart-sass (sass)

v1.69.5

Compare Source

JS API

• Compatibility with Node.js 21.0.0.

v1.69.4

Compare Source

• No user-visible changes.

v1.69.3

Compare Source

Embedded Sass

• Fix TypeScript type locations in package.json.

v1.69.2

Compare Source

JS API

• Fix a bug where Sass crashed when running in the browser if there was a global
  variable named process.

v1.69.1

Compare Source

• No user-visible changes.

v1.69.0

Compare Source

• Add a meta.get-mixin() function that returns a mixin as a first-class Sass
  value.

• Add a meta.apply() mixin that includes a mixin value.

• Add a meta.module-mixins() function which returns a map from mixin names in
  a module to the first-class mixins that belong to those names.

• Add a meta.accepts-content() function which returns whether or not a mixin
  value can take a content block.

• Add support for the relative color syntax from CSS Color 5. This syntax
  cannot be used to create Sass color values. It is always emitted as-is in the
  CSS output.

Dart API

• Deprecate Deprecation.calcInterp since it was never actually emitted as a
  deprecation.

Embedded Sass

• Fix a rare race condition where the embedded compiler could freeze when a
  protocol error was immediately followed by another request.

v1.68.0

Compare Source

• Fix the source spans associated with the abs-percent deprecation.

JS API

• Non-filesystem importers can now set the nonCanonicalScheme field, which
  declares that one or more URL schemes (without :) will never be used for
  URLs returned by the canonicalize() method.

• Add a containingUrl field to the canonicalize() and findFileUrl()
  methods of importers, which is set to the canonical URL of the stylesheet that
  contains the current load. For filesystem importers, this is always set; for
  other importers, it's set only if the current load has no URL scheme, or if
  its URL scheme is declared as non-canonical by the importer.

Dart API

• Add AsyncImporter.isNonCanonicalScheme, which importers (async or sync) can
  use to indicate that a certain URL scheme will never be used for URLs returned
  by the canonicalize() method.

• Add AsyncImporter.containingUrl, which is set during calls to the
  canonicalize() method to the canonical URL of the stylesheet that contains
  the current load. This is set only if the current load has no URL scheme, or
  if its URL scheme is declared as non-canonical by the importer.

Embedded Sass

• The CalculationValue.interpolation field is deprecated and will be removed
  in a future version. It will no longer be set by the compiler, and if the host
  sets it it will be treated as equivalent to CalculationValue.string except
  that "(" and ")" will be added to the beginning and end of the string
  values.

• Properly include TypeScript types in the sass-embedded package.

v1.67.0

Compare Source

• All functions defined in CSS Values and Units 4 are now once again parsed as
  calculation objects: round(), mod(), rem(), sin(), cos(), tan(),
  asin(), acos(), atan(), atan2(), pow(), sqrt(), hypot(),
  log(), exp(), abs(), and sign().

  Unlike in 1.65.0, function calls are not locked into being parsed as
  calculations or plain Sass functions at parse-time. This means that
  user-defined functions will take precedence over CSS calculations of the same
  name. Although the function names calc() and clamp() are still forbidden,
  users may continue to freely define functions whose names overlap with other
  CSS calculations (including abs(), min(), max(), and round() whose
  names overlap with global Sass functions).

• Breaking change: As a consequence of the change in calculation parsing
  described above, calculation functions containing interpolation are now parsed
  more strictly than before. However, almost all interpolations that would
  have produced valid CSS will continue to work. The only exception is
  #{$variable}% which is not valid in Sass and is no longer valid in
  calculations. Instead of this, either use $variable directly and ensure it
  already has the % unit, or write ($variable * 1%).

• Potentially breaking bug fix: The importer used to load a given file is no
  longer used to load absolute URLs that appear in that file. This was
  unintented behavior that contradicted the Sass specification. Absolute URLs
  will now correctly be loaded only from the global importer list. This applies
  to the modern JS API, the Dart API, and the embedded protocol.

Embedded Sass

• Substantially improve the embedded compiler's performance when compiling many
  files or files that require many importer or function call round-trips with
  the embedded host.

v1.66.1

Compare Source

JS API

• Fix a bug where Sass compilation could crash in strict mode if passed a
  callback that threw a string, boolean, number, symbol, or bignum.

v1.66.0

Compare Source

• Breaking change: Drop support for the additional CSS calculations defined
  in CSS Values and Units 4. Custom Sass functions whose names overlapped with
  these new CSS functions were being parsed as CSS calculations instead, causing
  an unintentional breaking change outside our normal [compatibility policy] for
  CSS compatibility changes.

  Support will be added again in a future version, but only after Sass has
  emitted a deprecation warning for all functions that will break for at least
  three months prior to the breakage.

v1.65.1

Compare Source

• Update abs-percent deprecatedIn version to 1.65.0.

v1.65.0

Compare Source

• All functions defined in CSS Values and Units 4 are now parsed as calculation
  objects: round(), mod(), rem(), sin(), cos(), tan(), asin(),
  acos(), atan(), atan2(), pow(), sqrt(), hypot(), log(), exp(),
  abs(), and sign().

• Deprecate explicitly passing the % unit to the global abs() function. In
  future releases, this will emit a CSS abs() function to be resolved by the
  browser. This deprecation is named abs-percent.

v1.64.2

Compare Source

• No user-visible changes.

v1.64.1

Compare Source

Embedded Sass

• Fix a bug where a valid SassCalculation.clamp() with less than 3 arguments
  would throw an error.

v1.64.0

Compare Source

• Comments that appear before or between @use and @forward rules are now
  emitted in source order as much as possible, instead of always being emitted
  after the CSS of all module dependencies.

• Fix a bug where an interpolation in a custom property name crashed if the file
  was loaded by a @use nested in an @import.

JavaScript API

• Add a new SassCalculation type that represents the calculation objects added
  in Dart Sass 1.40.0.

• Add Value.assertCalculation(), which returns the value if it's a
  SassCalculation and throws an error otherwise.

• Produce a better error message when an environment that supports some Node.js
  APIs loads the browser entrypoint but attempts to access the filesystem.

Embedded Sass

• Fix a bug where nested relative @imports failed to load when using the
  deprecated functions render or renderSync and those relative imports were
  loaded multiple times across different files.

v1.63.6

Compare Source

JavaScript API

• Fix import sass from 'sass' again after it was broken in the last release.

Embedded Sass

• Fix the exports declaration in package.json.

v1.63.5

Compare Source

JavaScript API

• Fix a bug where loading the package through both CJS require() and ESM
  import could crash on Node.js.

Embedded Sass

• Fix a deadlock when running at high concurrency on 32-bit systems.

• Fix a race condition where the embedded compiler could deadlock or crash if a
  compilation ID was reused immediately after the compilation completed.

v1.63.4

Compare Source

JavaScript API

• Re-enable support for import sass from 'sass' when loading the package from
  an ESM module in Node.js. However, this syntax is now deprecated; ESM users
  should use import * as sass from 'sass' instead.

  On the browser and other ESM-only platforms, only import * as sass from 'sass' is supported.

• Properly export the legacy API values TRUE, FALSE, NULL, and types from
  the ECMAScript module API.

Embedded Sass

• Fix a race condition where closing standard input while requests are in-flight
  could sometimes cause the process to hang rather than shutting down
  gracefully.

• Properly include the root stylesheet's URL in the set of loaded URLs when it
  fails to parse.

v1.63.3

Compare Source

JavaScript API

• Fix loading Sass as an ECMAScript module on Node.js.

v1.63.2

Compare Source

• No user-visible changes.

v1.63.1

Compare Source

• No user-visible changes.

v1.63.0

Compare Source

JavaScript API

• Dart Sass's JS API now supports running in the browser. Further details and
  instructions for use are in the README.

Embedded Sass

• The Dart Sass embedded compiler is now included as part of the primary Dart
  Sass distribution, rather than a separate executable. To use the embedded
  compiler, just run sass --embedded from any Sass executable (other than the
  pure JS executable).

  The Node.js embedded host will still be distributed as the sass-embedded
  package on npm. The only change is that it will now provide direct access to a
  sass executable with the same CLI as the sass package.

• The Dart Sass embedded compiler now uses version 2.0.0 of the Sass embedded
  protocol. See the spec for a full description of the
  protocol, and the changelog for a summary of
  changes since version 1.2.0.

• The Dart Sass embedded compiler now runs multiple simultaneous compilations in
  parallel, rather than serially.

v1.62.1

Compare Source

• Fix a bug where :has(+ &) and related constructs would drop the leading
  combinator.

v1.62.0

Compare Source

• Deprecate the use of multiple !global or !default flags on the same
  variable. This deprecation is named duplicate-var-flags.

• Allow special numbers like var() or calc() in the global functions:
  grayscale(), invert(), saturate(), and opacity(). These are also
  native CSS filter functions. This is in addition to number values which were
  already allowed.

• Fix a cosmetic bug where an outer rule could be duplicated after nesting was
  resolved, instead of re-using a shared rule.

v1.61.0

Compare Source

• Potentially breaking change: Drop support for End-of-Life Node.js 12.

• Fix remaining cases for the performance regression introduced in 1.59.0.

Embedded Sass

• The JS embedded host now loads files from the working directory when using the
  legacy API.

v1.60.0

Compare Source

• Add support for the pi, e, infinity, -infinity, and NaN constants in
  calculations. These will be interpreted as the corresponding numbers.

• Add support for unknown constants in calculations. These will be interpreted
  as unquoted strings.

• Serialize numbers with value infinity, -infinity, and NaN to calc()
  expressions rather than CSS-invalid identifiers. Numbers with complex units
  still can't be serialized.

v1.59.3

Compare Source

• Fix a performance regression introduced in 1.59.0.

• The NPM release of 1.59.0 dropped support for Node 12 without actually
  indicating so in its pubspec. This release temporarily adds back support so
  that the latest Sass version that declares it supports Node 12 actually does
  so. However, Node 12 is now end-of-life, so we will drop support for it
  properly in an upcoming release.

v1.59.2

Compare Source

• No user-visible changes.

v1.59.1

Compare Source

• No user-visible changes.

v1.59.0

Compare Source

Command Line Interface

• Added a new --fatal-deprecation flag that lets you treat a deprecation
  warning as an error. You can pass an individual deprecation ID
  (e.g. slash-div) or you can pass a Dart Sass version to treat all
  deprecations initially emitted in that version or earlier as errors.

• New --future-deprecation flag that lets you opt into warning for use of
  certain features that will be deprecated in the future. At the moment, the
  only option is --future-deprecation=import, which will emit warnings for
  Sass @import rules, which are not yet deprecated, but will be in the future.

Dart API

• New Deprecation enum, which contains the different current and future
  deprecations used by the new CLI flags.

• The compile methods now take in fatalDeprecations and futureDeprecations
  parameters, which work similarly to the CLI flags.

v1.58.3

Compare Source

• No user-visible changes.

v1.58.2

Compare Source

Command Line Interface

• Add a timestamp to messages printed in --watch mode.

• Print better calc()-based suggestions for /-as-division expression that
  contain calculation-incompatible constructs like unary minus.

v1.58.1

Compare Source

• Emit a unitless hue when serializing hsl() colors. The deg unit is
  incompatible with IE, and while that officially falls outside our
  compatibility policy, it's better to lean towards greater compatibility.

v1.58.0

Compare Source

• Remove sourcemap comments from Sass sources. The generated sourcemap comment
  for the compiled CSS output remains unaffected.

• Fix a bug in @extend logic where certain selectors with three or more
  combinators were incorrectly considered superselectors of similar selectors
  with fewer combinators, causing them to be incorrectly trimmed from the
  output.

• Produce a better error message for a number with a leading + or -, a
  decimal point, but no digits.

• Produce a better error message for a nested property whose name starts with
  --.

• Fix a crash when a selector ends in an escaped backslash.

• Add the relative length units from CSS Values 4 and CSS Contain 3 as known
  units to validate bad computation in calc.

Command Line Interface

• The --watch flag will now track loads through calls to meta.load-css() as
  long as their URLs are literal strings without any interpolation.

v1.57.1

Compare Source

• No user-visible changes.

---

Configuration

📅 Schedule: Branch creation - "every weekend" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[netlify]

✅ Deploy Preview for releasebump ready!

Name	Link
🔨 Latest commit	624a826
🔍 Latest deploy log	https://app.netlify.com/sites/releasebump/deploys/6539c3afe57de500081759b8
😎 Deploy Preview	https://deploy-preview-274--releasebump.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
Filesystem access	sass	1.64.1	Module: fs Location: sass.js +1 more instances...	package.json

Next steps

What is filesystem access?

Accesses the file system, and could potentially read sensitive data.

If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore [email protected]