Open YellowPanda11 opened 4 years ago
mind if we close this issue?
postcss-url 10 requires postcss 8, Not the entire ecosystem is ready yet for a migration from postcss 7 to postcss 8! There are some environments which I simply cannot update yet.
➡️ Would you please consider applying the fix of updating mkdirp also on postcss-url 9?
Thank you so much!
Reference:
# npm audit report
minimist <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via `npm audit fix --force`
Will install postcss-url@10.1.1, which is a breaking change
node_modules/postcss-url/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/postcss-url/node_modules/mkdirp
postcss-url 9.0.0 - 10.0.0
Depends on vulnerable versions of mkdirp
node_modules/postcss-url
3 low severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
mkdirp should be on 0.5.3 to prevent security exploit introduced from minimist
ref: https://snyk.io/test/npm/mkdirp/0.5.0