Postcss 8 - Githubissues

bholloway / resolve-url-loader

Webpack loader that resolves relative paths in url() statements based on the original source file

563 stars 71 forks source link

Postcss 8 #198

Closed stof closed 2 years ago

stof commented 3 years ago

It would be great if the resolve-url-loader could be migrated to use postcss 8. Postcss 7 is not maintained anymore.

SymbioticKilla commented 3 years ago

It has also CVE before 8.2.10

bholloway commented 3 years ago

I'm going to schedule this for v5 which 🤞 should happen in a few weeks.

The plan is to release and immediately supersede v4 with a v5. For v5 we can increase the node engine requirement and bump postcss to the latest version.

bholloway commented 3 years ago

Note that discussion is split across this issue and PR #169

IronGeek commented 3 years ago

FWIW, this just popup on my screen:

Overview postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Remediation Upgrade to version 8.2.10 or later

Resources https://www.npmjs.com/advisories/1693

taisph commented 3 years ago

CVE-2021-23368 for reference.

bholloway commented 3 years ago

There is an ~early v5 alpha~ v5 beta now available using Postcss 8, released as resolve-url-loader@next. Please give it a try. 🙏

I will leave this issue open until we have full release of resolve-url-loader@5.0.0.

If you have tried the alpha and it works for you please 👍 here.

bholloway commented 3 years ago

Crossposting from #169 the alternative interrum fix is to force postcss@8 with resolutions field.

bdenhollander commented 3 years ago

postcss released a backported fix as 7.0.36, currently waiting on the CVE to be updated. https://github.com/postcss/postcss/issues/1574#issuecomment-859226586

Can the dependency in v3 be upgraded to this version?

bdenhollander commented 2 years ago

Can the dependency in v3 be upgraded to this version?

3.1.4 was released with the upgraded dependency: https://github.com/bholloway/resolve-url-loader/pull/210

arborrow commented 2 years ago

Just noting https://nvd.nist.gov/vuln/detail/CVE-2021-23382 - it would be good to get things updated. Hopefully with the work on v5 something can be released in the not too distant future.

CVE-2021-23382 - moderate severity Vulnerable versions: < 8.2.13 Patched version: 8.2.13

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /\s sourceMappingURL=(.*).

bholloway commented 2 years ago

Released resolve-url-loader@5.0.0 as dist-tag latest. Removed dist-tag next.