Open JennaySDavis opened 3 weeks ago
JennaySDavis
commented
3 weeks ago This Dependabot Alert can not be completed at this time because of a USWDS dependency. Once USWDS fixes the issue, the PostCSS dependabot issue can be resolved for the 889 Tool.
john-labbate
commented
3 weeks ago The PostCSS version ^7.0.16 dependency is inherited from USWDS/Compile v1.1.0 => node_modules/gulp-sourcemaps v3.0.0 => @gulp-sourcemaps/identity-map": "^2.0.1 => "postcss": "^7.0.16". The latest version of USWDS/Compile and gulp-sourcemaps have not resolved this vulnerability within their codebases. As this is a dev-only, dependency that has not been deployed to production and its code is not under our control, we will not be resolving it at this time. If and when it is updated within USWDS/Compile codebase we will update the 889-tool solution to match.
Severity - Moderate
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS to contain parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.