Depends on package `url-regex` with high severity vulnerability
Closed this issue · 3 comments
- Operating System (or Browser): N/A
- Node Version: 14.15.4
- postcss-values-parser Version: 4.0.0
How Do We Reproduce?
npm i postcss-values-parser
Expected Behavior
NPM audit returns no vulnerabilities.
Actual Behavior
NPM audit returns high severity vulnerabilities.
Please see https://www.npmjs.com/advisories/1550
Thanks for reporting, but I'm not even remotely worried about that CVE - these things are getting to the point of absurdity. postcss-values-parser
is a development tool, so any DoS would be self-inflicted. If someone would like to open a PR to fix this, I'll happily review it, but otherwise npm audit fix
should be able to take care of this in most trees.
This was fixed also with postcss now (https://www.npmjs.com/advisories/1693), but there is still a warning upon npm install, because of the older devDependency for postcss. You you please update that @shellscape ? Thanks 🙏