Postcss 7.0.35 vulnerability

[braian-wallbit]

Dependabot alert us about a vulnerability on this package. Here are the details:

react-native-metamap-sdk@5.1.3 requires postcss@^7.0.35 via a transitive dependency on resolve-url-loader@4.0.0 No patched version available for postcss The earliest fixed version is 8.4.31.

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.

Could you please update dependencies to fixed version? Thank you!

[AvoSukiasyan]

hi @braian-wallbit . I'll update it and get back to here

[AvoSukiasyan]

I'll close this as the second one is the same problem on the different libraries