Security Issue - Postcss-extend

[dharanish-v]

The package postcss-extend used is a 8 year old package and uses postcssv5 internally which has a lot of security vulnerabilities,

Dependency	Name	CVE	CWE	Severity	Score
postcss:5.2.18	CVE-2021-23382	CWE-1333	Inefficient Regular Expression Complexity	HIGH	7.5
postcss:5.2.18	CVE-2023-44270	CWE-74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	MEDIUM	5.300000190734860
postcss:5.2.18	GHSA-566m-qj78-rww5	CWE-400	Uncontrolled Resource Consumption	MEDIUM	5.300000190734860

can you replace the postcss-extend with an upgrade alternative or remove the use of it? these vulnerabilities stops enterprise applications from utilizing this amazing library that is available. looking for a response as soon as possible. thanks.

[petyosi]

That's a fair point - the package is actually not used anywhere. However, it's a dev dependency and does not come in runtime. Can you clarify how this affects the security of the enterprise applications you refer to?

[dharanish-v]

The ESLint hack on July 12, 2018, is the best example to explain this. That package had a backdoor and was vulnerable to DoS. And unfortunately, all packages using this ESLint vulnerable version fell victim to it, causing lots of services to suffer downtime due to exploitation via the vulnerability introduced by packages that had ESLint as a devDependency. ESLint developers had to roll out a quick emergency security update to address this issue. We should be treating every devDependency with the same scrutiny that we apply to our production modules, especially or unless it is not being used for testing purposes only.