search

csstools / postcss-advanced-variables

Use Sass-like variables, conditionals, and iterators in CSS
Creative Commons Zero v1.0 Universal
130 stars 33 forks source link

Dependency on postcss v7.0.6 exposes security vulnerability (PostCSS < 8.4.31) #105

Closed ariestaazalia closed 8 months ago

ariestaazalia commented 11 months ago

Issue Description

Current version: v3.0.1 Dependency: postcss v7.0.6

Problem

The current version of the package relies on PostCSS v7.0.6, which has a known issue affecting linters parsing external Cascading Style Sheets (CSS). The specific problem is related to handling \r discrepancies, as demonstrated by the following example:

@font-face {
  font: (\r/*);
}

This issue is a security vulnerability and has been discovered in PostCSS versions before 8.4.31.

Please upgrade the dependency above to >8.4.31

romainmenke commented 8 months ago

I will publish a new version to resolve this.

;npm why postcss
postcss@8.4.35 dev
node_modules/postcss
  dev postcss@"^8.2.4" from the root project
  postcss@"^8.2.7" from postcss-scss@3.0.5
  node_modules/postcss-scss
    dev postcss-scss@"^3.0.5" from the root project
  peer postcss@"^7 || ^8" from postcss-tape@6.0.1
  node_modules/postcss-tape
    dev postcss-tape@"^6.0.1" from the root project