Closed dharanish-v closed 5 months ago
That's a fair point - the package is actually not used anywhere. However, it's a dev dependency and does not come in runtime. Can you clarify how this affects the security of the enterprise applications you refer to?
The ESLint hack on July 12, 2018, is the best example to explain this. That package had a backdoor and was vulnerable to DoS. And unfortunately, all packages using this ESLint vulnerable version fell victim to it, causing lots of services to suffer downtime due to exploitation via the vulnerability introduced by packages that had ESLint as a devDependency. ESLint developers had to roll out a quick emergency security update to address this issue. We should be treating every devDependency with the same scrutiny that we apply to our production modules, especially or unless it is not being used for testing purposes only.
The package
postcss-extend
used is a 8 year old package and usespostcssv5
internally which has a lot of security vulnerabilities,can you replace the
postcss-extend
with an upgrade alternative or remove the use of it? these vulnerabilities stops enterprise applications from utilizing this amazing library that is available. looking for a response as soon as possible. thanks.