Vulnerability found in "postcss" package

Question

Vulnerability found in "postcss" package

Closed this issue 3 years ago · 1 comments

Description

Dependabot found a vulnerability in the postcss package in our package-lock.json. This package is depended on by storybook (which was added in #4). Dependabot was unable to generate an automatic fix, so we would have to figure something out ourselves.

Dependabot log

Link to alert

Remediation

Upgrade postcss to version 8.2.10 or later. For example:

"dependencies": {
  "postcss": ">=8.2.10"
}

or…

"devDependencies": {
  "postcss": ">=8.2.10"
}

Always verify the validity and compatibility of suggestions with your codebase.

Details

CVE-2021-23368
moderate severity
Vulnerable versions: >= 7.0.0, < 8.2.10
Patched version: 8.2.10

The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Answer 1 · 2021-05-17T03:04:50.000Z

postcss has been upgraded.

$ npm info postcss version                                                                                                                                                                                                         
8.2.15