build(deps): ReDoS vulnerability from intermediate dependency

[ykolbin]

Hello folks,

CVE-2021-33623 describes ReDoS vulnerability from intermediate meow dependency, so I updated meow from 3.7.0 to 9.0.0.
Unfortunately I could not update to the latest version of meow (10.0.0), because meow code was migrated to ESM and node-sass requires node engine >= 12 according current package.json.

[ykolbin]

There is an issue with Alpine release checks, but I've checked PRs nearby and it looks like common issue

[nschonni]

I'm not sure this is fully equivalent with the below, since I think the API is expecting an array in all cases, which was why it coerced it if it wasn't. Maybe that isMultiple forces the same thing

[ykolbin]

meow always returns array for isMultiple flags according documentation.
I checked behaviour and removed unnecessary code below as well: https://github.com/sass/node-sass/pull/3125/files/be85ce1818a68e45d4f40672fce5424a918bebd9#diff-66e4eb9929e494460303e4a5e5c4ea4252befaf983cc44bfea286987f0509ef9L285

[xzyfer]

Appreciate all your effort. This is released in 6.0.1.

[jimmywarting]

because meow code was migrated to ESM

Should also make the move to ESM - quite many are starting to do it right now

[xzyfer]

We're not open to adopting esm modules at this time. We want to minimise churn and limit releases to security patches and major compatibility issues.

[ljuroszekPerfectgym]

@xzyfer the security first, nice that this PR is merged. I was waiting for it, like for gulp-sass pull

[xzyfer]

Thanks for the reminder @ljuroszekPerfectgym. I've released a 4.1.1 with the lodash update.

[psugihara-od]

hell yeah, thanks!

[arjunadeltoso]

Was this backported to 4.14.X version as well?

[xzyfer]

Looks like we can back port this to 4.x by updating to meow@7 without too much happy. I'll try to cut a release in the next 48hrs.

[justinwhall]

Are there still plans to back port this to 4.x?