Regular Expression Denial of Service in postcss (6.0.11)

Shramkoweb commented 2 years ago

Do you want to request a feature, report a bug or ask a question? Security issue.

What is the current behavior?

The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /\s sourceMappingURL=(.*).

svg-sprite-loader@6.0.11 requires postcss@^5.2.17 via svg-baker@1.7.0

Please tell us about your environment:

Node.js version: 16
webpack version: 4
svg-sprite-loader version: 6.0.11
OS type & version: macOS

NickWoodward commented 1 year ago

Did you find a decent fix for this? In the past I managed to override postcss used, but I'm now getting

npm ERR! code EOVERRIDE
npm ERR! Override for postcss@^8.4.16 conflicts with direct dependency

Shramkoweb commented 1 year ago

Did you find a decent fix for this? In the past I managed to override postcss used, but I'm now getting
npm ERR! code EOVERRIDE
npm ERR! Override for postcss@^8.4.16 conflicts with direct dependency

No. Unfortunately, I am waiting for a fix.

JetBrains / svg-sprite-loader

Regular Expression Denial of Service in postcss (6.0.11) #490