Security vulnerability affecting all versions
migill opened this issue · 8 comments
A security vulnerability in postcss-loader has been identified by synk.io (see https://security.snyk.io/vuln/SNYK-JS-POSTLOADER-2403737).
We are postcss-loader
, you provide link on post-loader
, it is diffident package
Sorry, you're right! And yet, jFrog Artifactory is preventing me from using your package based on that vulnerability - how odd...
Can you show a message?
npm audit reports the following:
Critical post-loader Package for Node.js index.js postLoader()
Function Insecure Template Literal Handling Arbitrary Code
Execution
Package postcss-loader
Patched in
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > postcss-loader
More info https://security.snyk.io/vuln/SNYK-JS-POSTLOADER-2403737,ht…
Can you write npm ls postcss-loader
and npm ls post-loader
?
You should update postcss-loader to https://github.com/webpack-contrib/postcss-loader/blob/master/package.json#L3, maybe even open an issue in angular cli
Yes we also need to do this. But version 6.2.1 is also blocked by jfrog and npm audit. I will open an issue at npm cli to address this incorrect vulnerability, but at first we need to fix it with jfrog. Thanks so far!