url-regex vulnerability

[MichaelRFox]

NPM reports url-regex presents a high severity vulnerability : see https://npmjs.com/advisories/1550. This package seems to be no longer maintained, however there is a similar packge, url-regex-safe, which addresses the issue.

[Hypnosphi]

See https://github.com/shellscape/postcss-values-parser/issues/120

[kevinlandsberg]

So what is the solution?

[Hypnosphi]

This: https://github.com/shellscape/postcss-values-parser/issues/120#issuecomment-678147430

[kevinlandsberg]

But I don't see a solution, only discussions. Can you tell me exactly what i can do?

[Hypnosphi]

You can help them migrate to url-regex-safe

[kevinlandsberg]

You can help them migrate to url-regex-safe

?

[jonathantneal]

I need time or help chopping up the big problems into little problems, and then distributing those little problems in a sustainable way across projects and OSS teams. This isn’t a great example of that problem, but it’s been a victim of it. To whomever is interested, I’m going to riff on the problem.

The setup. This project requires a tool beyond PostCSS to parse CSS. Forgive the ABCs, but let me explain the technical gist of this project. This project modifies CSS to partially polyfill CSS Custom Properties at build time. Custom Properties, by their definition, exist in CSS properties. Properties refer to the name in the name/value pairing we call CSS declarations. We create Custom Properties by writing declarations, and we use Custom Properties in declarations with a var() function. That function lives in the value of a declaration. PostCSS does not parse the values of declarations. To parse those values, we can use one of two other OSS projects — postcss-value-parser and postcss-values-parser. Both are great projects created and maintained by folks I have great respect for. I choose to use the later project because I personally found it to be less destructive to CSS upon use, and because it provided a more accurate AST.

The problems. First, the values parser project made some significant breaking changes that required a lot of work and effort, and those changes required knowledge the documentation could not sufficiently cover. Second, the maintainer of that project was not in a position to maintain the code required to account for new bugs that arose during the last revision. The maintainer is actively hoping to avoid the maintenance of such code, which played a large role in the decision to make breaking changes. A lot of the bugs are in fact debt from PostCSS not parsing values. I know this because I created PRs to contribute that code to the project, and I had the maintainer tell me this, quite nicely. I also know because I found the bugs in PostCSS, and I wrote a brand new tokenizer to resolve them. But I hope you see how this elevates my problem, from a major upgrade of a dependency to a project beyond the needs of this project. Third, the primary user of this project is PostCSS Preset Env, which I also maintain, and any problem with the values parser in this project is multiplied by all of the projects with the same dependency. And so I’m again forced to deal with the problem at a much larger scale than I would like to.

Some solutions. 1. As a contributor to this project and postcss-values-parser, perform the upgrade in the values parser myself, if it hasn’t already been done, and perform the necessary upgrades here. Historically, this requires a good chunk of time, mostly to handle the feedback loops between myself and the maintainer of postcss-values-parser, and to handle any breaking changes to this project. 2. As a contributor to PostCSS, PostCSS Preset Env, PostCSS Custom Properties, and the PostCSS Values Parser, I’m in the perfect position to resolve all of these issues with a new tokenizer and parser. Unfortunately, I don’t have a career or the spare time to accomplish my goal in a reasonable time frame.

[mikelkew]

Looks like the vulnerability has now been removed downstream in postcss-values-parser@^4.0.0. See related issue shellscape/postcss-values-parser#120 and PR shellscape/postcss-values-parser#125.

[Semigradsky]

Fixed in https://github.com/postcss/postcss-custom-properties/releases/tag/10.0.0