Depends on package `url-regex` with high severity vulnerability

Question

Depends on package `url-regex` with high severity vulnerability

Closed this issue 4 years ago · 3 comments

henrijs commented 4 years ago

Operating System (or Browser): N/A
Node Version: 14.15.4
postcss-values-parser Version: 4.0.0

How Do We Reproduce?

npm i postcss-values-parser

Expected Behavior

NPM audit returns no vulnerabilities.

Actual Behavior

NPM audit returns high severity vulnerabilities.

Answer 1 · 2021-02-05T14:07:13.000Z

Please see https://www.npmjs.com/advisories/1550

Answer 2 · 2021-02-05T14:27:05.000Z

Thanks for reporting, but I'm not even remotely worried about that CVE - these things are getting to the point of absurdity. postcss-values-parser is a development tool, so any DoS would be self-inflicted. If someone would like to open a PR to fix this, I'll happily review it, but otherwise npm audit fix should be able to take care of this in most trees.

Answer 3 · 2021-06-01T12:04:37.000Z

This was fixed also with postcss now (https://www.npmjs.com/advisories/1693), but there is still a warning upon npm install, because of the older devDependency for postcss. You you please update that @shellscape ? Thanks 🙏