See sass/node-sass#2625 (comment) for why this is tricky to fix.
TL;DR: Deep down in our dependency tree (node-sass → node-gyp → node-tar) lives an old version of tar that's susceptible to an arbitrary file overwrite vulnerability. We can't resolve it by just installing a newer version of tar; we're stuck waiting on a new node-sass release.
See sass/node-sass#2625 (comment) for why this is tricky to fix.
TL;DR: Deep down in our dependency tree (
node-sass→node-gyp→node-tar) lives an old version oftarthat's susceptible to an arbitrary file overwrite vulnerability. We can't resolve it by just installing a newer version oftar; we're stuck waiting on a newnode-sassrelease.