Bump PostCSS to 8.3, resolving CVE-2021-23368

gulp-sourcemaps / identity-map

Gulp plugin for generating an identity sourcemap for a file.

MIT License

3 stars 7 forks source link

Bump PostCSS to 8.3, resolving CVE-2021-23368 #12

Open tommylau-exe opened 3 years ago

tommylau-exe commented 3 years ago

Fixes PostCSS ReDoS vulnerability. See https://www.npmjs.com/advisories/1693

All tests run using npm run test pass. At a glance, it doesn't look like there are any relevant breaking changes in the PostCSS 8.0.0 release notes.

tommylau-exe commented 3 years ago

Looks like the CI for Node v6 failed. This is probably due to one of PostCSS 8's breaking changes, which drop support for Node v6, among others:

PostCSS 8 dropped Node.js 6.x, 8.x, 11.x, and 13.x versions support. All these versions have no security updates anymore.

Pulled from PostCSS 8.0.0 release notes under "Breaking Changes".

niksy commented 2 years ago

What can we do to help to get this merged?

alex-voznyuk-kovaltchuk-sp commented 5 months ago

@nmccready @tchetwin @phated Could you please merge it and create a release?