postcss / postcss-url

PostCSS plugin to rebase url(), inline or copy asset.
MIT License
377 stars 60 forks source link

v8.0.0 - mkdirp should be on 0.5.3 at least #141

Open YellowPanda11 opened 4 years ago

YellowPanda11 commented 4 years ago

mkdirp should be on 0.5.3 to prevent security exploit introduced from minimist

ref: https://snyk.io/test/npm/mkdirp/0.5.0

sergcen commented 3 years ago

fixed 10.1.0

peter-mouland commented 3 years ago

mind if we close this issue?

LeoniePhiline commented 3 years ago

postcss-url 10 requires postcss 8, Not the entire ecosystem is ready yet for a migration from postcss 7 to postcss 8! There are some environments which I simply cannot update yet.

➡️ Would you please consider applying the fix of updating mkdirp also on postcss-url 9?

Thank you so much!

Reference:

# npm audit report

minimist  <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via `npm audit fix --force`
Will install postcss-url@10.1.1, which is a breaking change
node_modules/postcss-url/node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/postcss-url/node_modules/mkdirp
    postcss-url  9.0.0 - 10.0.0
    Depends on vulnerable versions of mkdirp
    node_modules/postcss-url

3 low severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force