Skip to content

chore(deps): update dependency sass-loader to v17#3959

Open
renovate[bot] wants to merge 1 commit into
developfrom
renovate/sass-loader-17.x
Open

chore(deps): update dependency sass-loader to v17#3959
renovate[bot] wants to merge 1 commit into
developfrom
renovate/sass-loader-17.x

Conversation

@renovate

@renovate renovate Bot commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
sass-loader ^13.0.0^17.0.0 age confidence

Release Notes

webpack/sass-loader (sass-loader)

v17.0.0

Compare Source

Major Changes

  • Add "auto" to the api option and make it the default. When the Sass implementation supports the modern compiler, "auto" enables it and reuses a single long-running compiler across files, which significantly improves build performance; otherwise it falls back to the modern API. (by @​alexander-akait in #​1319)

  • Remove node-sass support. (by @​alexander-akait in #​1316)

  • Minimum supported NodeJS version is 22.11.0. (by @​alexander-akait in #​1318)

  • Convert source to native ECMAScript modules. The package now declares "type": "module" and exposes both an ESM and a CommonJS build via the exports field. CommonJS consumers continue to work via require, and ESM consumers can now import the loader directly. (by @​alexander-akait in #​1322)

  • Remove legacy Sass JS API support. (by @​alexander-akait in #​1316)

Minor Changes

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

16.0.8 (2026-05-08)
Bug Fixes
16.0.7 (2026-02-05)
Bug Fixes
16.0.6 (2025-10-23)
Bug Fixes
  • cache fs calls for modern API
16.0.5 (2025-02-14)
Bug Fixes
16.0.4 (2024-12-04)
Bug Fixes
  • include sources map сontent for modern api by default (#​1250) (70a10ff)
16.0.3 (2024-11-01)
Bug Fixes
16.0.2 (2024-09-20)
Bug Fixes

v16.0.8

Compare Source

v16.0.7

Compare Source

v16.0.6

Compare Source

v16.0.5

Compare Source

v16.0.4

Compare Source

v16.0.3

Compare Source

v16.0.2

Compare Source

v16.0.1

Compare Source

Bug Fixes

v16.0.0

Compare Source

⚠ BREAKING CHANGES
  • use modern Sass JS API by default for sass and sass-embedded

[!WARNING]

The sass options are different for the legacy (before) and modern APIs. Please look at docs how to migrate to the modern options.
Legacy options - https://sass-lang.com/documentation/js-api/interfaces/legacystringoptions/
Modern options - https://sass-lang.com/documentation/js-api/interfaces/options/

To return to the previous logic use:

module.exports = {
  module: {
    rules: [
      {
        test: /\.s[ac]ss$/i,
        use: [
          "style-loader",
          "css-loader",
          {
            loader: "sass-loader",
            options: {
              api: "legacy",
              // Your options
            },
          },
        ],
      },
    ],
  },
};
Features
  • use modern Sass JS API by default for sass and sass-embedded (10be1ba)

v15.0.0

Compare Source

⚠ BREAKING CHANGES
  • prefer sass-embedded over sass by default (#​1211)
Features
14.2.1 (2024-04-16)
Bug Fixes

v14.2.1

Compare Source

⚠ BREAKING CHANGES
  • prefer sass-embedded over sass by default (#​1211)
Features
14.2.1 (2024-04-16)
Bug Fixes

v14.2.0

Compare Source

⚠ BREAKING CHANGES
  • prefer sass-embedded over sass by default (#​1211)
Features
14.2.1 (2024-04-16)
Bug Fixes

v14.1.1

Compare Source

Features
  • added the modern-compiler value for API to reuse compiler process (#​1195) (cef40a8)
  • support webpack built-in resolver for modern and modern-compiler API (#​1197) (2265b72)

Notes:

Using the modern-compiler value for the api option together with sass-embedded reduces compilation time by 5-10 times, especially for projects using large files with a lot of @import/@use, for small files the build time reduction will not be significant.

14.1.1 (2024-02-19)
Bug Fixes

v14.1.0

Compare Source

Features
  • added the modern-compiler value for API to reuse compiler process (#​1195) (cef40a8)
  • support webpack built-in resolver for modern and modern-compiler API (#​1197) (2265b72)

Notes:

Using the modern-compiler value for the api option together with sass-embedded reduces compilation time by 5-10 times, especially for projects using large files with a lot of @import/@use, for small files the build time reduction will not be significant.

14.1.1 (2024-02-19)
Bug Fixes

v14.0.0

Compare Source

⚠ BREAKING CHANGES
  • removed fibers support
  • minimum supported Node.js version is 18.12.0 (627f55d)
13.3.3 (2023-12-25)
Bug Fixes
13.3.2 (2023-06-09)
Bug Fixes
13.3.1 (2023-05-28)
Bug Fixes

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

cursor[bot]
cursor Bot reviewed Jun 13, 2026
View reviewed changes

@cursor cursor Bot left a comment
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

Security review — no findings

Outcome: No medium, high, or critical vulnerabilities identified in this PR.

Scope reviewed

  • web/package.jsonsass-loader bumped from ^13.0.0 to ^17.0.0
  • web/package-lock.json — lockfile refresh for sass-loader@17.0.0

Analysis

sass-loader is a devDependency used only at build time by Vue CLI/Webpack to compile .sass/.scss sources. It does not ship to production or process runtime user input, so there is no attacker-controlled input path to a security sink.

Supply chain: sass-loader@17.0.0 is published by the official webpack project, has no known CVEs, and drops its prior runtime dependency (neo-async), slightly reducing transitive surface.

Attack surface: Inputs are developer-controlled repository sources (Vue SFC styles, Vuetify SASS). Exploitation would require repository write access, which is outside the threat model for this dependency bump.

Compatibility note (non-security): sass-loader v17 removes legacy Sass JS API support and requires Node >=22.11.0. With the pinned sass@~1.32.12, npm run build fails (Unknown Sass implementation — ESM default-export mismatch with the legacy package). CI uses Node 24, so this is a build breakage risk, not a runtime security exposure.

Prior threads

No previous automation review threads were present on this PR.

Open in Web View Automation 

Sent by Cursor Automation: Find vulnerabilities

@renovate renovate Bot force-pushed the renovate/sass-loader-17.x branch from 7d072a0 to 185ba7f Compare June 14, 2026 09:48
cursor[bot]
cursor Bot reviewed Jun 14, 2026
View reviewed changes

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security review — no findings

Outcome: No medium, high, or critical vulnerabilities identified in this PR.

Scope reviewed

  • web/package.jsonsass-loader bumped from ^13.0.0 to ^17.0.0
  • web/package-lock.json — lockfile refresh for sass-loader@17.0.0

Analysis

sass-loader is a devDependency used only at build time by Vue CLI/Webpack to compile .sass/.scss sources. It does not ship to production or process runtime user input, so there is no attacker-controlled input path to a security sink.

Supply chain: sass-loader@17.0.0 is published by the official webpack project, has no known CVEs, and drops its prior runtime dependency (neo-async), slightly reducing transitive surface.

Attack surface: Inputs are developer-controlled repository sources (Vue SFC styles, Vuetify SASS). Exploitation would require repository write access, which is outside the threat model for this dependency bump.

Compatibility note (non-security): sass-loader v17 removes legacy Sass JS API support and requires Node >=22.11.0. With the pinned sass@~1.32.12, builds may fail (Unknown Sass implementation — ESM default-export mismatch with the legacy package). This is a build breakage risk, not a runtime security exposure.

Prior threads

Previous automation review (no inline threads) re-validated; no findings remain.

Open in Web View Automation 

Sent by Cursor Automation: Find vulnerabilities

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants