The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/*\s sourceMappingURL=(.).
This PR contains the following updates:
8.2.4->8.2.13GitHub Vulnerability Alerts
CVE-2021-23368
The npm package
postcssfrom 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.CVE-2021-23382
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/*\s sourceMappingURL=(.).
Release Notes
postcss/postcss
### [`v8.2.13`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8213) [Compare Source](https://togithub.com/postcss/postcss/compare/8.2.12...8.2.13) - Fixed ReDoS vulnerabilities in source map parsing (by Yeting Li). ### [`v8.2.12`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8212) [Compare Source](https://togithub.com/postcss/postcss/compare/8.2.11...8.2.12) - Fixed `package.json` exports. ### [`v8.2.11`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8211) [Compare Source](https://togithub.com/postcss/postcss/compare/8.2.10...8.2.11) - Fixed `DEP0148` warning in Node.js 16. - Fixed docs (by [@semiromid](https://togithub.com/semiromid)). ### [`v8.2.10`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8210) [Compare Source](https://togithub.com/postcss/postcss/compare/8.2.9...8.2.10) - Fixed ReDoS vulnerabilities in source map parsing. - Fixed webpack 5 support (by Barak Igal). - Fixed docs (by Roeland Moors). ### [`v8.2.9`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#829) [Compare Source](https://togithub.com/postcss/postcss/compare/8.2.8...8.2.9) - Exported `NodeErrorOptions` type (by Rouven Weßling). ### [`v8.2.8`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#828) [Compare Source](https://togithub.com/postcss/postcss/compare/8.2.7...8.2.8) - Fixed browser builds in webpack 4 (by Matt Jones). ### [`v8.2.7`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#827) [Compare Source](https://togithub.com/postcss/postcss/compare/8.2.6...8.2.7) - Fixed browser builds in webpack 5 (by Matt Jones). ### [`v8.2.6`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#826) [Compare Source](https://togithub.com/postcss/postcss/compare/8.2.5...8.2.6) - Fixed `Maximum call stack size exceeded` in `Node#toJSON`. - Fixed docs (by inokawa). ### [`v8.2.5`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#825) [Compare Source](https://togithub.com/postcss/postcss/compare/8.2.4...8.2.5) - Fixed escaped characters handling in `list.split` (by Natalie Weizenbaum).Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.