Plugin depends on vulnerable versions of merge

mrnocreativity / postcss-critical-split

A PostCSS plugin that takes existing CSS files and splits out the annotated critical styles into a seperate file.

MIT License

89 stars 6 forks source link

Plugin depends on vulnerable versions of merge #33

Open mirolyubovN opened 3 years ago

mirolyubovN commented 3 years ago

npm audit gives the following: merge <2.1.1 Will install postcss-critical-split@1.0.4, which is a breaking change postcss-critical-split >=2.0.0 Depends on vulnerable versions of merge node_modules/postcss-critical-split

stevenslack commented 3 years ago

We are seeing this in our npm audits as well. It looks like this was addressed in #22. The version bump has not been pushed with this change as of yet.