webpack-contrib/postcss-loader

Security vulnerability affecting all versions

migill opened this issue · 8 comments

A security vulnerability in postcss-loader has been identified by synk.io (see https://security.snyk.io/vuln/SNYK-JS-POSTLOADER-2403737).

We are postcss-loader, you provide link on post-loader, it is diffident package

Sorry, you're right! And yet, jFrog Artifactory is preventing me from using your package based on that vulnerability - how odd...

Can you show a message?

npm audit reports the following:

Critical post-loader Package for Node.js index.js postLoader()
Function Insecure Template Literal Handling Arbitrary Code
Execution

Package postcss-loader

Patched in

Dependency of @angular-devkit/build-angular [dev]

Path @angular-devkit/build-angular > postcss-loader

More info https://security.snyk.io/vuln/SNYK-JS-POSTLOADER-2403737,ht…

Can you write npm ls postcss-loader and npm ls post-loader?

ansib commented

Could it be possible, that it was incorrectly assigned to this package (at npm audit and JFrog XRay)?

I do not use the post-loader in my project, but i have the same problem with JFrog.

image

You should update postcss-loader to https://github.com/webpack-contrib/postcss-loader/blob/master/package.json#L3, maybe even open an issue in angular cli

ansib commented

Yes we also need to do this. But version 6.2.1 is also blocked by jfrog and npm audit. I will open an issue at npm cli to address this incorrect vulnerability, but at first we need to fix it with jfrog. Thanks so far!