Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Audit issues due to postcss version
See original GitHub issueDescribe the bug
[ moderate ] Regular Expression Denial of Service in postcss
vulnerable versions <8.2.13 found in:
- dependencies: typescript-plugin-css-modules>postcss-filter-plugins>postcss
- dependencies: typescript-plugin-css-modules>postcss-icss-keyframes>postcss
- dependencies: typescript-plugin-css-modules>postcss-icss-keyframes>icss-utils>postcss
- dependencies: typescript-plugin-css-modules>postcss-icss-selectors>postcss
- dependencies: typescript-plugin-css-modules>postcss-icss-selectors>icss-utils>postcss
To Reproduce execute yarn or npm audit
Expected behavior A successful audit
Note: I realize that the postcss-filter-plugin/icss-* modules are way out of date that’s the underlying cause… maybe there’s another package this could move to.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:25
- Comments:8 (4 by maintainers)
Top Results From Across the Web
npm audit fails due to postcss #6467 - vuejs/vue-cli - GitHub
Auditing fails due to postcss. Version: 4.5.13. Yarn Audit details: moderate: Regular Expression Denial of Service Package: postcss. Patched in: ...
Read more >postcss 7.0.0 - 8.2.9 Severity: moderate Regular Expression ...
I managed to reduce the audit issues down to one moderate vulnerability due to the browserslist package in my post here:.
Read more >How to Fix Security Vulnerabilities with NPM - IFS Blog
As suggested npm audit –force will upgrade dependencies with issues to major version. Hence, this may cause breaking changes in the code.
Read more >npm audit fix --force doesn't resolve the vulnerabilities, how do ...
I run npm update and then npm audit fix --force on my project and it ... Depends on vulnerable versions of postcss node_modules/css-loader ......
Read more >POSTCSS Vulnerabilities - Laracasts
Issue: I'm having issues with around 50 vulnerabilities due to various node modules ... on vulnerable versions of css-select node_modules/svgo postcss-svgo ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
FYI https://github.com/css-modules/postcss-icss-selectors/issues/126 Looks like these libs are dead and should not be used.
Sorry @mrmckeb it’s still depending on postcss-icss-* and continues to fail audit checks with the latest version.
Can you reopen this please?
Version 4.1.1:
[critical] loader-utils: Prototype pollution in webpack loader-utils (1084924) typescript-plugin-css-modules>postcss-icss-selectors>generic-names>loader-utils
As mentioned above, post-icss-selectors should not be used: https://github.com/css-modules/postcss-icss-selectors/issues/126