[Security] new node-gyp version available to patch security vulnerability

[benwiley4000]

Since the #2625 discussion got locked I had to open a new thread, but just wanted to note that a few hours ago node-gyp v4.0.0 was released which patches the security vulnerability with the tar package.

nodejs/node-gyp#1718 (comment)

The major version bump is because node-gyp v4 drops support for any Node.js version lower than 6. This sounds like a big change since node-sass currently supports Node.js 0.10 and higher.

However...

I noticed that the currently used version of node-gyp (v3.8) only officially supports Node.js 4 and higher, so perhaps the Node version restriction is irrelevant for node-sass's use case, and it could be released as a minor or patch version bump.

[xzyfer]

Thank you. We're aware of the update and are considering our options.

[gpkoltermann]

They bumped tar and loosen up node constraints 2 days ago. I think now you can update :). Please take a look here: nodejs/node-gyp#1714 (comment)