Vulnerable dependency of postcss
Closed this issue · 1 comments
AP7557 commented
Bug report
css-loader is dependent on an slightly vulnerable version of postcss, (PostCC line return parsing error, affects linters to parse external CSS)
Actual Behavior
Github security dependabot giving an error
Expected Behavior
Upgrade postcss to 8.4.31
How Do We Reproduce?
Run npm ls postcss
│ └─┬ css-loader@3.4.2
│ ├─┬ icss-utils@4.1.1
│ │ └── postcss@7.0.39
│ ├─┬ postcss-modules-extract-imports@2.0.0
│ │ └── postcss@7.0.39
│ ├─┬ postcss-modules-local-by-default@3.0.3
│ │ └── postcss@7.0.39
│ ├─┬ postcss-modules-scope@2.2.0
│ │ └── postcss@7.0.39
│ ├─┬ postcss-modules-values@3.0.0
│ │ └── postcss@7.0.39
│ └── postcss@7.0.39
Even after upgrading css-loader to 6.8.1, postcss version is 8.4.29
Please paste the results of npx webpack-cli info here, and mention other relevant information
System:
OS: macOS 13.4
CPU: (16) x64 Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz
Memory: 223.09 MB / 32.00 GB
Binaries:
Node: 16.13.2 - ~/.nvm/versions/node/v16.13.2/bin/node
npm: 8.1.2 - ~/.nvm/versions/node/v16.13.2/bin/npm
Browsers:
Chrome: 119.0.6045.159
Safari: 16.5
alexander-akait commented
Please update css-loader to the latest stable version or ask postcss developers to fix a security problem in 7.0.39 version, sorry we can't fix it here