High severity vulnerabilities in dependencies

postcss / postcss-custom-properties

Use Custom Properties in CSS

https://postcss.github.io/postcss-custom-properties

MIT License

597 stars 77 forks source link

High severity vulnerabilities in dependencies #235

Closed henrijs closed 3 years ago

henrijs commented 3 years ago

This package depends on postcss-values-parser that depends on url-regex that has high severity vulnerability.

Upstream issue https://github.com/shellscape/postcss-values-parser/issues/130. Please see https://npmjs.com/advisories/1550.

Semigradsky commented 3 years ago

I don't see url-regex in dependencies:

$ yarn why url-regex
yarn why v1.22.5
[1/4] Why do we have the module "url-regex"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
error We couldn't find a match!
Done in 0.27s.

Semigradsky commented 3 years ago

@henrijs upgrade your postcss-values-parser to 10+ version. It was fixed in #228