search

jjlharrison / gulp-rtlcss

Gulp plugin that uses RTLCSS to convert LTR CSS to RTL.
MIT License
36 stars 7 forks source link

Vulnerability in postcss@6.0.23 #25

Closed alanoudssr closed 2 years ago

alanoudssr commented 2 years ago

Security vulnerability in postcss@6.0.2 CVE-2021-23382 is detected via the following package dependency path: rtlcss@2.6.2 ➔ postcss@6.0.2

The vulnerability in postcss@6.0.2 has been resolved in version 8.2.13, 7.0.36 or higher rtlcss has also resolved the dependency on postcss@6.0.2 by upgrading to postcss@^8.2.1 with the release of version 3.x

Description of Vulnerability:

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/*\s# sourceMappingURL=(.).

Solution:

Upgrade rtlcss^2.6.2 ➔ ^3.0.0

jjlharrison commented 2 years ago

Upgrade to rtlcss^3.5.0 released.