Security Alert - Package: postcss; Severity: MEDIUM; Vuln ID: GHSA-hwj9-h5mp-3pm3
Closed this issue · 1 comments
phenggeler commented
due: 2022-03-26
A new vulnerability has been reported by Dependabot. The criticality of this vulnerability is MEDIUM.
MEDIUM vulnerabilities have an SLA of 60 days according to our policy.
Affected package: postcss
Ecosystem: NPM
Affected version range: >= 7.0.0, < 7.0.36
Summary: Regular Expression Denial of Service in postcss
Description: The npm package `postcss` from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
identifiers: [{'type': 'GHSA', 'value': 'GHSA-hwj9-h5mp-3pm3'}, {'type': 'CVE', 'value': 'CVE-2021-23368'}]
Fixed Version: 7.0.36
Created Date = January 25, 2022
***Additional Context***
https://github.com/Recidiviz/covid19-dashboard/security/dependabot?q=is%3Aopen+sort%3Anewest
phenggeler commented
The Recidiviz security team has been exploring some automation in this ticket: https://github.com/Recidiviz/security-operations-automation/issues/5
The goal is to automatically generate Github issues when a Dependabot alert is made. On January 24, 2022, the script we are using was modified. This led
to several dozen duplicate issues being created and reported as vulnerabilities. This issue is one of those duplicate issues.
Given that the issue is a duplicate, we have closed this issue out and removed the following labels:
Severity Label
Subject: Security
Subject: Vulnerability