[Security Risk] Update cssnano to ^4.1.11
bymattoa opened this issue · 1 comments
bymattoa commented
Attempted to raise a PR myself, but not have permissions to push to this repo.
- Operating System: n/a
- Node Version:
- NPM Version:
- webpack Version:
- postcss-loader Version: all
Expected Behavior / Situation
postcss-loader
has a transitive dependency on is-svg
^3.0.0
through cssnano
^4.1.10
. This version contains a security risk for ReDoS attacks:
Actual Behavior / Situation
n/a
Modification Proposal
Update cssnano
to ^4.1.11
. This will version removes the dependency on is-svg
.
"cssnano": "^4.1.11",
alexander-akait commented
We don't have cssnano
in deps, please do it locally https://github.com/webpack-contrib/postcss-loader/blob/master/package.json#L44