search

egoist / rollup-plugin-postcss

Seamless integration between Rollup and PostCSS.
MIT License
677 stars 217 forks source link

Vulnerabilities on version 4.0.0 with PostCSS #373

Open glebsexy opened 3 years ago

glebsexy commented 3 years ago

Hi, when updating dependencies I got a message about 34 moderate severity vulnerabilities. These are apparently caused by the outdated version of PostCSS. Here is the full npm audit output:

# npm audit report

postcss  7.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1693
fix available via `npm audit fix --force`
Will install rollup-plugin-postcss@1.6.3, which is a breaking change
node_modules/cssnano-util-raw-cache/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/css-declaration-sorter/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/cssnano-preset-default/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/cssnano/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-calc/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-colormin/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-convert-values/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-discard-comments/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-discard-duplicates/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-discard-empty/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-discard-overridden/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-merge-longhand/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-merge-rules/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-minify-font-values/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-minify-gradients/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-minify-params/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-minify-selectors/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-charset/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-display-values/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-positions/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-repeat-style/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-string/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-timing-functions/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-unicode/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-url/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-whitespace/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-ordered-values/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-reduce-initial/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-reduce-transforms/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-svgo/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-unique-selectors/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/stylehacks/node_modules/postcss
  css-declaration-sorter  4.0.0 - 5.1.2
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/css-declaration-sorter
    cssnano-preset-default  <=4.0.0-rc.2 || 4.0.1 - 4.0.8
    Depends on vulnerable versions of css-declaration-sorter
    Depends on vulnerable versions of cssnano-util-raw-cache
    Depends on vulnerable versions of postcss
    node_modules/rollup-plugin-postcss/node_modules/cssnano-preset-default
  cssnano  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.11
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/cssnano
    rollup-plugin-postcss  >=2.0.0
    Depends on vulnerable versions of cssnano
    node_modules/rollup-plugin-postcss
  cssnano-util-raw-cache  >=4.0.1
  Depends on vulnerable versions of postcss
  node_modules/cssnano-util-raw-cache
  postcss-calc  6.0.2 - 7.0.5
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-calc
  postcss-colormin  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-colormin
  postcss-convert-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-convert-values
  postcss-discard-comments  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-discard-comments
  postcss-discard-duplicates  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-discard-duplicates
  postcss-discard-empty  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-discard-empty
  postcss-discard-overridden  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-discard-overridden
  postcss-merge-longhand  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.6 - 4.0.11
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-merge-longhand
  postcss-merge-rules  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-merge-rules
  postcss-minify-font-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-minify-font-values
  postcss-minify-gradients  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-minify-gradients
  postcss-minify-params  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-minify-params
  postcss-minify-selectors  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-minify-selectors
  postcss-normalize-charset  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-charset
  postcss-normalize-display-values  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-display-values
  postcss-normalize-positions  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-positions
  postcss-normalize-repeat-style  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-repeat-style
  postcss-normalize-string  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-string
  postcss-normalize-timing-functions  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-timing-functions
  postcss-normalize-unicode  <=4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-unicode
  postcss-normalize-url  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-url
  postcss-normalize-whitespace  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-whitespace
  postcss-ordered-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.2
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-ordered-values
  postcss-reduce-initial  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-reduce-initial
  postcss-reduce-transforms  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-reduce-transforms
  postcss-svgo  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-svgo
  postcss-unique-selectors  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/postcss-unique-selectors
  stylehacks  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/rollup-plugin-postcss/node_modules/stylehacks

34 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Is there a way to fix this?

beruic commented 3 years ago

I dived a bit into this. It seems like an upgrade of cssnano will do the trick, as this seems to be where the dependency is rooted.

cowills commented 3 years ago

Looks like there are 2 PRs open that should resolve this issue:

https://github.com/egoist/rollup-plugin-postcss/pull/368 updates to a version of cssnano with a back ported patch https://github.com/egoist/rollup-plugin-postcss/pull/357 updates to a version of cssnano which uses postcss 8

beruic commented 3 years ago

368 won't fix it, but #357 will.