The postcss v8.4.27 vulnerability

apostrophecms / sanitize-html

Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis. Built on htmlparser2 for speed and tolerance

MIT License

3.68k stars 349 forks source link

The postcss v8.4.27 vulnerability #640

Closed Ali-Zmn closed 5 months ago

Ali-Zmn commented 5 months ago

Hi,

I was running some vulnerability checks on sanitize-html and saw you're using postcss@8.4.27 which has CVE-2023-44270. The vulnerability is fixed on 8.4.31 but the latest is 8.4.33. Wondering if you have any plans to adapt the new version.

Thanks

boutell commented 5 months ago

Hi Ali,

If you look again at package.json you'll see this is a semver (Semantic Versioning) rule. The "^" means "at least" that version, e.g. it will install the newest in the 8.x series. It does not install that specific version. We do not update package.json every time a dependency releases an update, as long as the semantic versioning rule is correct.

(The version specified in package.json is not 8.4.27 so I'm not sure where you got that number from)