JennaySDavis
commented
3 weeks ago On Feb 5, 2024, @john-labbate wrote on Ticket#401 (this ticket was converted to the Astro Upgrade) We cannot resolve the PostCSS Dependabot issues, linked below, because our systems rely on uswds-compile. We currently have the latest version(1.1.0) installed, which depends on the vulnerable version of PostCSS. The USWSDS package should be updated first, or we should move away from using it, but in the meantime, we will not be able to upgrade to a safe version.
In addition, Astro v2 depends on a vulnerable version of PostCSS. We would need to migrate to a newer version, requiring an overhaul since we are two full versions behind. We have spent about a week attempting this upgrade to Astro v4.
We do not currently have an accurate estimate of how long it will take to upgrade Astro as there are several unknowns around what is now preventing the upgraded version from working. Regardless, we will still need to resolve the dependency on USWDS-Compile before this vulnerability can be properly addressed.
On March 21, 2024, @CodyHinze wrote Proposed upgrading to Astro 4.x to correct this issue in addition to changing the base URL configuration to work on both Dev and Prod (cloud.gov).
john-labbate
Severity - Moderate
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.