🐛 bug report

NPM audit moderate severity findings in parcel-bundler 1.12.5 (postcss dependency related)

🎛 Configuration (.babelrc, package.json, cli command)

from .babelrc:

{
  "presets": [
    "preact",
    [
      "env",
      {
        "targets": {
          "browsers": "last 2 Firefox versions, last 2 Chrome versions, last 2 Edge versions, last 2 Safari versions"
        }
      }
    ]
  ]
}

from package.json:

  "devDependencies": {
    "@babel/core": "^7.11.6",
    "@babel/plugin-proposal-class-properties": "^7.10.4",
    "babel-preset-env": "^1.7.0",
    "babel-preset-preact": "^2.0.0",
    "chai": "^4.1.2",
    "easyimage": "^3.1.0",
    "eslint": "^7.9.0",
    "eslint-config-standard-jsx": "^8.1.0",
    "eslint-config-standard-preact": "^1.1.6",
    "express": "^4.17.1",
    "js-yaml": "^3.12.0",
    "looks-same": "^3.3.0",
    "mocha": "^7.0.0",
    "mochawesome": "^6.1.1",
    "parcel-bundler": "^1.12.5",
    "request-promise": "^4.2.5",
    "sass": "^1.26.10",
    "selenium-webdriver": "^4.0.0-alpha.7",
    "standard": "^14.3.4"
  }

🤔 Expected Behavior

npm audit will succeed

😯 Current Behavior

npm audit returns 66 moderate severity vulnerabilities

These all seem related to the same postcss npm advisory (https://npmjs.com/advisories/1693) via cssnano and htmlnano:


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  css-declaration-sorter > postcss                              

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > css-declaration-sorter > postcss                            

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  cssnano-util-raw-cache > postcss                              

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > cssnano-util-raw-cache > postcss                            

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default > postcss   

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss                                                     

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-calc > postcss                                        

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-calc > postcss                                      

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-colormin > postcss                                    

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-colormin > postcss                                  

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-convert-values > postcss                              

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-convert-values > postcss                            

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-discard-comments > postcss                            

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-discard-comments > postcss                          

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-discard-duplicates > postcss                          

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-discard-duplicates > postcss                        

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-discard-empty > postcss                               

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-discard-empty > postcss                             

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-discard-overridden > postcss                          

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-discard-overridden > postcss                        

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-merge-longhand > postcss                              

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-merge-longhand > postcss                            

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-merge-longhand > stylehacks > postcss                 

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-merge-longhand > stylehacks > postcss               

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-merge-rules > postcss                                 

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-merge-rules > postcss                               

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-minify-font-values > postcss                          

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-minify-font-values > postcss                        

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-minify-gradients > postcss                            

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-minify-gradients > postcss                          

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-minify-params > postcss                               

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-minify-params > postcss                             

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-minify-selectors > postcss                            

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-minify-selectors > postcss                          

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-normalize-charset > postcss                           

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-normalize-charset > postcss                         

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-normalize-display-values > postcss                    

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-normalize-display-values > postcss                  

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-normalize-positions > postcss                         

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-normalize-positions > postcss                       

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-normalize-repeat-style > postcss                      

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-normalize-repeat-style > postcss                    

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-normalize-string > postcss                            

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-normalize-string > postcss                          

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-normalize-timing-functions > postcss                  

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-normalize-timing-functions > postcss                

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-normalize-unicode > postcss                           

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-normalize-unicode > postcss                         

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-normalize-url > postcss                               

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-normalize-url > postcss                             

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-normalize-whitespace > postcss                        

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-normalize-whitespace > postcss                      

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-ordered-values > postcss                              

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-ordered-values > postcss                            

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-reduce-initial > postcss                              

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-reduce-initial > postcss                            

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-reduce-transforms > postcss                           

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-reduce-transforms > postcss                         

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-svgo > postcss                                        

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-svgo > postcss                                      

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-unique-selectors > postcss                            

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-unique-selectors > postcss                          

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > postcss                            

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > postcss                 

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > uncss > postcss                   

  More info       https://npmjs.com/advisories/1693                             

  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > purgecss > postcss                

  More info       https://npmjs.com/advisories/1693                             

found 66 moderate severity vulnerabilities in 1642 scanned packages
  66 vulnerabilities require manual review. See the full report for details.

💁 Possible Solution

Update internal dependencies on htmlnano and cssnano to versions that use postcss version greater than or equal to 8.2.10. I'm not at all sure how difficult or easy that would be...

🔦 Context

Some organizations (including ours) have security policies which prevent production deployments if npm audit vulnerabilities are found (even in dev dependencies). I know this particular npm audit finding may not be truly as severe as npm audit describes, but dealing with security audits is a fact of life.

The root of the issue appears to be in postcss v7 as mentioned here: https://github.com/postcss/postcss/issues/1574 but that version will not be fixed as the developer has a newer version to maintain (postcss v8)

I realize that Parcel 1 is also in "maintenance mode" and there is a push to move to Parcel 2 (as mentioned here: https://github.com/parcel-bundler/parcel/issues/5250#issuecomment-750379659)

I've made a first stab (so far unsuccessful) attempt to migrate to Parcel 2, but these npm audit findings are also present after uninstalling Parcel 1 (parcel-bundler) and installing latest Parcel 2 using npm. So this issue likely impacts all Parcel users of both versions?

💻 Code Sample

for version 1:

npm init
npm install parcel-bundler
npm audit

or for version 2:

npm init
npm install parcel
npm audit

🌍 Your Environment

Software	Version(s)
Parcel	1.12.5
Node	12.22.0
npm/Yarn	npm v. 6.14.11
Operating System	win 10

parcel-bundler / parcel

npm audit moderate severity postcss dependency related #6315