Sass Blog
Page 2 of 8
-
Security Alert: Tar Permissions
Posted 10 December 2022 by Natalie Weizenbaum
The Sass team was recently alerted by prolific external contributor @ntkme to a security issue in our release process.
TL;DRTL;DR permalink
If you’re using Linux or Mac OS, run
ls -ax path/to/sass
. If the last group of letters in the first column containsw
, you’re vulnerable:Vulnerable: -rwxr-xrwx 1 nweiz primarygroup 407 Dec 13 12:33 sass-1.56.2/sass Not vulnerable: -rwxr-xr-x 1 nweiz primarygroup 407 Dec 13 12:33 sass-1.56.2/sass
If you’re using the
sass-embedded
package, do the same thing fornode_modules/sass-embedded/dist/lib/src/vendor/dart-sass-embedded/dart-sass-embedded
.Who’s Affected?Who’s Affected? permalink
While we don’t expect this issue to be a problem for the vast majority of users, it does affect the following groups:
-
Users who downloaded the stand-alone Dart Sass, Dart Sass Embedded, or Sass Migrator
.tar.gz
archives from the Dart Sass website and extracted them as the Unix root user. -
Users who installed the
sass-embedded
npm package as the Unix root user prior to version 1.54.5. -
Users who installed the “non-native” version of the community-maintained
sass-embedded
RubyGems package as the Unix root…
-
-
Request for Comments: Color Spaces
Posted 21 September 2022 by Miriam Suzanne and Natalie Weizenbaum
There’s been a lot of exciting work in the CSS color specifications lately, and as it begins to land in browsers we’ve been preparing to add support for it in Sass as well. The first and largest part of that is adding support for color spaces to Sass, which represents a huge (but largely backwards-compatible) rethinking of the way colors work.
Historically, all colors in CSS have existed in the same color space, known as “sRGB”. Whether you represent them as a hex code, an
hsl()
function, or a color name, they represented the same set of visible colors you could tell a screen to display. While this is conceptually simple, there are some major downsides:-
As monitors have improved over time, they’ve become capable of displaying more colors than can be represented in the sRGB color space.
-
sRGB, even when you’re using it via
hsl()
, doesn’t correspond very well with how humans perceive colors. Cyan looks noticeably lighter than purple with the same saturation and lightness values. -
There’s…
-
-
Request for Comments: Strict Unary Operators
Posted 15 June 2022 by Natalie Weizenbaum
Do you know what
margin: $a -$b
does in Sass? If you said “the same thing asmargin: $a (-$b)
, I’m sorry, but you’re wrong. It’s actually the same thing asmargin: $a - $b
. Don’t worry, you’re not the first person to get tripped up by this weird corner of Sass’s parser! But our new language proposal aims to fix that.In the Strict Unary Operators proposal, which is currently open for community feedback, we propose to first deprecate and then eventually disallow expressions of the form
$a -$b
. We know deprecations are never pleasant, but this should be fairly painless as they go: you can simply write$a - $b
or$a (-$b)
, depending which you intend. We’ll also provide a Sass migrator migration to automatically update your stylesheets.Deprecated:
$a -$b
will no longer be allowed, because it’s unclear what the author intended and the current behavior is likely to be incorrect.
Still allowed:
-
$a - $b
will continue to work, since it’s…
-
Embedded Sass is Live
Posted 1 February 2022 by Natalie Weizenbaum
After several years of planning and development, I’m excited to finally announce the stable release of Embedded Dart Sass along with its first official wrapper, the
sass-embedded
package available now on npm!Embedded Sass is an ongoing effort to make a highly-performant Sass library available to as many different languages as possible, starting with Node.js. Although Node.js already has access to the pure-JS
sass
package, the nature of JavaScript inherently limits how quickly this package can process large Sass files especially in asynchronous mode. We expectsass-embedded
to be a major boon to developers for whom compilation speed is a concern, particularly the remaining users ofnode-sass
for whom performance has been a major reason to avoid Dart Sass.The
sass-embedded
package fully supports the new JS API as well as the legacy API other than a few cosmetic options. You can use it as a drop-in replacement for thesass
package, and it should work with all the same build plugins and libraries. Note thatsass-embedded
is a bit… -
New JS API Release Candidate is Live
Posted 21 November 2021 by Natalie Weizenbaum
The new JavaScript API that we announced a few months ago is now fully implemented in Dart Sass and ready for you to try! The new API is designed to be more idiomatic, performant, and usable than the old one, and we hope it’ll be adopted swiftly by tooling packages.
Because this is such a substantial addition, we want to give users a chance to kick the tires a bit before we set it in stone, so we’ve released it as a release candidate in Dart Sass 1.45.0-rc.1. Download it, try it out, and let us know what you think by filing issues or sending us a tweet. Unless major changes are necessary, we plan to make a stable release some time next week.
How to use itHow to use it permalink
The new API comes with four new entrypoint functions:
compile()
andcompileAsync()
take Sass file paths and return the result of compiling them to CSS, whilecompileString()
andcompileStringAsync()
take a string of Sass source and…