Dependency on sass-convert (unmaintained + vulnerabilities)

[bulutfatih]

Hi SassDoc maintainers 👋

While integrating SassDoc into a modern build pipeline I noticed that the package still depends on sass-convert.

Unfortunately sass-convert (Ruby-based) has been unmaintained for ≈10 years and flagged with multiple vulnerabilities.

Because SassDoc ships sass-convert as a production dependency, every downstream consumer inherits these risks. Most security scanners now fail our builds by default.

Would it be possible to replace it with a maintained one alternative?

Thanks a lot 🙏

[pascalduez]

Hello @bulutfatih,

as far as I can tell nobody here will have time or interest in maintaining our own sass-convert. This has always been a sort of hack/workaround.
I'm not aware of any other alternatives, at least the last time I searched.
Furthermore Sass (at least dart Sass) does not offer a convertion tool anymore as well.

I guess one of the only thing we could do here is release a major version of sassdoc without sass-convert, and in such no indented syntax support. But even this is not trivial, as sassdoc core is also lagging very badly in term of maintenance and dependencies updates.

Help welcome.