stof
commented
3 years ago to reduce the maintenance needs, I would even suggest switching that to a semver range instead (as done in v4). what do you tink @bholloway ?
Closed derrabus closed 3 years ago
stof
commented
3 years ago to reduce the maintenance needs, I would even suggest switching that to a semver range instead (as done in v4). what do you tink @bholloway ?
bholloway
commented
3 years ago Open semver ranges previously resulted in bugs for this package. But due to pressure V4 opened the range. If people are still using V3 i can only assume they are highly change averse and so I will make minimal changes.
While i will merge this PR (as soon as I can run the e2e tests) I am very concerned that react scipts and other frameworks seem to not update dependencies regularly.
bholloway
commented
3 years ago Published as resolve-url-loader@3.1.4.
derrabus
commented
3 years ago Thank you!
Hello 👋🏻
I stumbled across your package because it's a dependency of
react-scripts. Unfortunately, it pins PostCSS to a version that turned out to be vulnerable, see https://www.npmjs.com/advisories/1693I'd like to propose to bump to the latest bugfix release of PostCSS which contains a patch against that vulnerability.