Thanks, I took a look at the package-lock.json after a fresh install and found that y18n is only a dependency for yargs, which in turn is only a dev dependency except for sass-graph's CLI (which we don't interact with).

Also, not seeing anything from npm audit

@nschonni The scanner is still showing y18n as a vulnerability. How did you exclude yargs? I am unable to exclude yargs since node-sass is in my dependencies and node-sass is pulling in yargs.

I'm still not seeing anything installing locally, you should bring this up with whatever scanning tool vendor you're using

@nschonni what version of node-sass are you using? Also, what version of node are you using?

The tool whitesource is actually reporting y18n related to node-sass - I sadly cannot share an online result, as this is being reported within our internal installation of that tool.

But I actually do see a direct relation out of dependencies (not devDependencies) within the tree, compare to e.g.
https://npm.broofa.com/?q=node-sass

sass-graph reference: https://github.com/sass/node-sass/blob/v4.14.1/package.json#L70
-> yargs reference: https://github.com/xzyfer/sass-graph/blob/v2.2.5/package.json#L24
-> y18n reference: https://github.com/yargs/yargs/blob/v14.0.0/package.json#L31 (13.3.2 not available as a git tag)

[email protected] vulnerability description: https://snyk.io/test/npm/y18n/4.0.0

Nevertheless it would need to be sass-graph obviously first of all in need to upgrade yargs: xzyfer/sass-graph#114