npm audit gives the following:
merge <2.1.1
Will install postcss-critical-split@1.0.4, which is a breaking change
postcss-critical-split >=2.0.0
Depends on vulnerable versions of merge
node_modules/postcss-critical-split
We are seeing this in our npm audits as well. It looks like this was addressed in #22. The version bump has not been pushed with this change as of yet.
npm audit gives the following: merge <2.1.1 Will install postcss-critical-split@1.0.4, which is a breaking change postcss-critical-split >=2.0.0 Depends on vulnerable versions of merge node_modules/postcss-critical-split