Vulnerability found in "postcss" package
Closed this issue · 1 comments
lim-james commented
Description
Dependabot found a vulnerability in the postcss
package in our package-lock.json
. This package is depended on by storybook
(which was added in #4). Dependabot was unable to generate an automatic fix, so we would have to figure something out ourselves.
Dependabot log
Remediation
Upgrade postcss to version 8.2.10 or later. For example:
"dependencies": {
"postcss": ">=8.2.10"
}
or…
"devDependencies": {
"postcss": ">=8.2.10"
}
Always verify the validity and compatibility of suggestions with your codebase.
Details
CVE-2021-23368
moderate severity
Vulnerable versions: >= 7.0.0, < 8.2.10
Patched version: 8.2.10The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
lim-james commented
postcss
has been upgraded.
$ npm info postcss version
8.2.15