Closed stof closed 2 years ago
It has also CVE before 8.2.10
I'm going to schedule this for v5
which 🤞 should happen in a few weeks.
The plan is to release and immediately supersede v4
with a v5
. For v5
we can increase the node engine requirement and bump postcss
to the latest version.
Note that discussion is split across this issue and PR #169
FWIW, this just popup on my screen:
Overview postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Remediation Upgrade to version 8.2.10 or later
Resources https://www.npmjs.com/advisories/1693
CVE-2021-23368 for reference.
There is an ~early v5 alpha~ v5 beta now available using Postcss 8, released as resolve-url-loader@next
. Please give it a try. 🙏
I will leave this issue open until we have full release of resolve-url-loader@5.0.0
.
If you have tried the alpha and it works for you please 👍 here.
Crossposting from #169 the alternative interrum fix is to force postcss@8
with resolutions
field.
postcss released a backported fix as 7.0.36, currently waiting on the CVE to be updated. https://github.com/postcss/postcss/issues/1574#issuecomment-859226586
Can the dependency in v3
be upgraded to this version?
Can the dependency in
v3
be upgraded to this version?
3.1.4 was released with the upgraded dependency: https://github.com/bholloway/resolve-url-loader/pull/210
Just noting https://nvd.nist.gov/vuln/detail/CVE-2021-23382 - it would be good to get things updated. Hopefully with the work on v5 something can be released in the not too distant future.
CVE-2021-23382 - moderate severity Vulnerable versions: < 8.2.13 Patched version: 8.2.13
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /\s sourceMappingURL=(.*).
Released resolve-url-loader@5.0.0
as dist-tag latest
.
Removed dist-tag next
.
It would be great if the resolve-url-loader could be migrated to use postcss 8. Postcss 7 is not maintained anymore.