Closed
Description
Describe the bug
[ moderate ] Regular Expression Denial of Service in postcss
vulnerable versions <8.2.13 found in:
- dependencies: typescript-plugin-css-modules>postcss-filter-plugins>postcss
- dependencies: typescript-plugin-css-modules>postcss-icss-keyframes>postcss
- dependencies: typescript-plugin-css-modules>postcss-icss-keyframes>icss-utils>postcss
- dependencies: typescript-plugin-css-modules>postcss-icss-selectors>postcss
- dependencies: typescript-plugin-css-modules>postcss-icss-selectors>icss-utils>postcss
To Reproduce
execute yarn or npm audit
Expected behavior
A successful audit
Note: I realize that the postcss-filter-plugin/icss-* modules are way out of date that's the underlying cause... maybe there's another package this could move to.
Metadata
Metadata
Assignees
Labels
Projects
Relationships
Development
Participants
Activity
SukkaW commentedon Apr 5, 2022
Note it is not the issue of
typescript-plugin-css-modules. It ispostcss-icss-keyframesthat relies onpostcss@6.KenjiTakahashi commentedon Apr 13, 2022
FYI css-modules/postcss-icss-selectors#126
Looks like these libs are dead and should not be used.
mrmckeb commentedon Oct 24, 2022
Thanks, I'll look at replacing this dependency.
FBNitro commentedon Nov 29, 2022
#115 is now also causing audit issues because it is outdated.
mrmckeb commentedon Dec 4, 2022
Deps are now updated and will be in the release today.
FBNitro commentedon Dec 5, 2022
Sorry @mrmckeb it's still depending on postcss-icss-* and continues to fail audit checks with the latest version.
Can you reopen this please?
Version 4.1.1:
[critical] loader-utils: Prototype pollution in webpack loader-utils (1084924)
typescript-plugin-css-modules>postcss-icss-selectors>generic-names>loader-utils
As mentioned above, post-icss-selectors should not be used:
css-modules/postcss-icss-selectors#126
postcss-*packages #181mrmckeb commentedon Dec 11, 2022
Sorry, I was closing off a bunch of issues at once and didn't read the initial post in this issue correctly at the time (as I'd updated PostCSS).
Looking at the advisory, I don't think it is an immediate risk, but I understand the desire to deal with it ASAP:
GHSA-566m-qj78-rww5
This project predates the comment you mentioned, which is why it uses
postcss-icss-selectors, however the refactor should allow us to remove that package.Unfortunately this is a fairly big rewrite. I hope to have it finished, tested and shipped in the next few weeks. It looks like all of the packages you mentioned have been abandoned unfortunately, so I'll need to fork those or rewrite the functionality if I can't find suitable replacements.
mrmckeb commentedon Dec 11, 2022
Looking at the plugins in more detail, I'm most concerned around
postcss-filter-pluginswhich may be a feature we have to drop for now as there aren't any obvious replacements.GZLiew commentedon Feb 2, 2023
is this fix still ongoing ? do you need any help ? @mrmckeb
243083df commentedon Feb 16, 2023
Can we just copy they sources and update deps like that css-modules/postcss-icss-selectors#128?
hey have MIT license.
mrmckeb commentedon Feb 18, 2023
Hi there, I'm working on this over this weekend. I'll remove these packages completely.
Sorry, it's hard to find large chunks of time for work like this outside of my other job, and life. I understand this is a big issue for some people and will aim to get it done this weekend.
postcss-*packages #201mrmckeb commentedon Feb 19, 2023
This is now available in
v4.2.1: