Closed murdocha closed 2 years ago
https://github.com/parcel-bundler/parcel/pull/6317 upgrades htmlnano and cssnano to the latest version, but even the latest htmlnano still uses uncss which depends on PostCSS 7
will the upcoming fixes to Parcel 2 referenced above make their way into parcel-bundler (v1)?
No. Especially because updating dependencies to new major versions would be a breaking change for v1.
not really a "thumbs up" but more of an "acknowledged". I know from reading some of the issue traffic that parcel-bundler v1 is in "maintenance" and most (all?) future development efforts are being directed to parcel v2. This deprecation warning is also present on the NPM package page here: https://www.npmjs.com/package/parcel-bundler.
I'd suggest that you also add a deprecation notice (re: v1) to the top of the main parcel repo (since both v1 and v2 seem to share a repo). It's also somewhat unfortunate/confusing that v2 is tagged as a "beta" version even though that is now the only actively developed "production" version. I'd also suggest dropping the beta tag for v2 now that it is stable (for most users?).
Thanks for tackling the npm audit fixes in v2! That helps me make the case to migrate to v2 going forward.
Thanks for opening this issue and for fixing it! And I agree that v2 has been in beta/nightly for way too long. I mean it's soon at version 800. At one daily release that's like more than 2 years????
We've been using it in prod since the beginning of this year and it's been doing an awesome job. There were some bugs in the nightly release but they're fixed quickly and the beta ones should be quite stable.
Parcel 1 is buggier than v2 at this point so I really don't see why it shouldn't be declared dead.
@danieltroger how do you keep up with the constant security vulnerabilities?
There are three sources at the moment:
css-what
: https://github.com/svg/svgo/pull/1485uncss
and postcss-modules
, so these two packages need to be changed to use PostCSS 8And in all of these cases, a denial of service isn't really a security vulnerability in the Parcel usecase. The worst case here is that your build never finishes, you're not running PostCSS in a SaaS webapp like codesandbox.
npm audit doesn't report any errors at the moment with parcel@nightly
π bug report
NPM audit moderate severity findings in parcel-bundler 1.12.5 (postcss dependency related)
π Configuration (.babelrc, package.json, cli command)
from .babelrc:
from package.json:
π€ Expected Behavior
npm audit will succeed
π― Current Behavior
npm audit returns 66 moderate severity vulnerabilities
These all seem related to the same postcss npm advisory (https://npmjs.com/advisories/1693) via cssnano and htmlnano:
π Possible Solution
Update internal dependencies on htmlnano and cssnano to versions that use postcss version greater than or equal to 8.2.10. I'm not at all sure how difficult or easy that would be...
π¦ Context
Some organizations (including ours) have security policies which prevent production deployments if npm audit vulnerabilities are found (even in dev dependencies). I know this particular npm audit finding may not be truly as severe as npm audit describes, but dealing with security audits is a fact of life.
The root of the issue appears to be in postcss v7 as mentioned here: https://github.com/postcss/postcss/issues/1574 but that version will not be fixed as the developer has a newer version to maintain (postcss v8)
I realize that Parcel 1 is also in "maintenance mode" and there is a push to move to Parcel 2 (as mentioned here: https://github.com/parcel-bundler/parcel/issues/5250#issuecomment-750379659)
I've made a first stab (so far unsuccessful) attempt to migrate to Parcel 2, but these npm audit findings are also present after uninstalling Parcel 1 (parcel-bundler) and installing latest Parcel 2 using npm. So this issue likely impacts all Parcel users of both versions?
π» Code Sample
for version 1:
or for version 2:
π Your Environment