[Security Risk] Update cssnano to ^4.1.11
bymattoa opened this issue · 1 comments
bymattoa commented
Attempted to raise a PR myself, but not have permissions to push to this repo.
- Operating System: n/a
- Node Version:
- NPM Version:
- webpack Version:
- postcss-loader Version: all
Expected Behavior / Situation
postcss-loader has a transitive dependency on is-svg ^3.0.0 through cssnano ^4.1.10. This version contains a security risk for ReDoS attacks:
Actual Behavior / Situation
n/a
Modification Proposal
Update cssnano to ^4.1.11. This will version removes the dependency on is-svg.
"cssnano": "^4.1.11",
alexander-akait commented
We don't have cssnano in deps, please do it locally https://github.com/webpack-contrib/postcss-loader/blob/master/package.json#L44