Postcss 8
Closed this issue ยท 11 comments
It would be great if the resolve-url-loader could be migrated to use postcss 8. Postcss 7 is not maintained anymore.
It has also CVE before 8.2.10
I'm going to schedule this for v5 which ๐ค should happen in a few weeks.
The plan is to release and immediately supersede v4 with a v5. For v5 we can increase the node engine requirement and bump postcss to the latest version.
FWIW, this just popup on my screen:
Overview
postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.Remediation
Upgrade to version 8.2.10 or laterResources
https://www.npmjs.com/advisories/1693
CVE-2021-23368 for reference.
There is an early v5 alpha v5 beta now available using Postcss 8, released as resolve-url-loader@next. Please give it a try. ๐
I will leave this issue open until we have full release of resolve-url-loader@5.0.0.
If you have tried the alpha and it works for you please ๐ here.
Crossposting from #169 the alternative interrum fix is to force postcss@8 with resolutions field.
postcss released a backported fix as 7.0.36, currently waiting on the CVE to be updated.
postcss/postcss#1574 (comment)
Can the dependency in v3 be upgraded to this version?
Can the dependency in
v3be upgraded to this version?
3.1.4 was released with the upgraded dependency: #210
Just noting https://nvd.nist.gov/vuln/detail/CVE-2021-23382 - it would be good to get things updated. Hopefully with the work on v5 something can be released in the not too distant future.
CVE-2021-23382 - moderate severity
Vulnerable versions: < 8.2.13
Patched version: 8.2.13
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /\s sourceMappingURL=(.*).
Released resolve-url-loader@5.0.0 as dist-tag latest.
Removed dist-tag next.