See sass/node-sass#2625 (comment) for why this is tricky to fix.

TL;DR: Deep down in our dependency tree (node-sass → node-gyp → node-tar) lives an old version of tar that's susceptible to an arbitrary file overwrite vulnerability. We can't resolve it by just installing a newer version of tar; we're stuck waiting on a new node-sass release.