search

rails / webpacker

Use Webpack to manage app-like JavaScript modules in Rails
MIT License
5.31k stars 1.47k forks source link

Regular Expression Denial of Service in postcss #3268

Closed ssinghi closed 2 years ago

ssinghi commented 2 years ago

Ruby version: Any Rails version: 5.2.6 and above Webpacker version: 5.4.2

Expected behavior: The postcss Security warning should not be there.

Actual behavior:

Dependabot is giving the following security warning.

The latest possible version that can be installed is 7.0.39 because of the following conflicting dependencies:

@rails/webpacker@5.4.2 requires postcss@^7.0.14 via a transitive dependency on icss-utils@4.1.1 @rails/webpacker@5.4.2 requires postcss@^7.0.32 via a transitive dependency on css-loader@3.6.0 @rails/webpacker@5.4.2 requires postcss@^7.0.5 via a transitive dependency on postcss-modules-extract-imports@2.0.0 @rails/webpacker@5.4.2 requires postcss@^7.0.32 via a transitive dependency on postcss-modules-local-by-default@3.0.3 @rails/webpacker@5.4.2 requires postcss@^7.0.6 via a transitive dependency on postcss-modules-scope@2.2.0 @rails/webpacker@5.4.2 requires postcss@^7.0.6 via a transitive dependency on postcss-modules-values@3.0.0 @rails/webpacker@5.4.2 requires postcss@^7.0.1 via a transitive dependency on css-declaration-sorter@4.0.1 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on cssnano-util-raw-cache@4.0.1 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on cssnano-preset-default@4.0.8 @rails/webpacker@5.4.2 requires postcss@^7.0.27 via a transitive dependency on postcss-calc@7.0.5 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-colormin@4.0.3 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-convert-values@4.0.1 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-discard-comments@4.0.2 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-discard-duplicates@4.0.2 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-discard-empty@4.0.1 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-discard-overridden@4.0.1 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-merge-longhand@4.0.11 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on stylehacks@4.0.3 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-merge-rules@4.0.3 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-minify-font-values@4.0.2 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-minify-gradients@4.0.2 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-minify-params@4.0.2 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-minify-selectors@4.0.2 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-normalize-charset@4.0.1 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-normalize-display-values@4.0.2 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-normalize-positions@4.0.2 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-normalize-repeat-style@4.0.2 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-normalize-string@4.0.2 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-normalize-timing-functions@4.0.2 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-normalize-unicode@4.0.1 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-normalize-url@4.0.1 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-normalize-whitespace@4.0.2 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-ordered-values@4.1.2 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-reduce-initial@4.0.3 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-reduce-transforms@4.0.2 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-svgo@4.0.3 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-unique-selectors@4.0.1 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on cssnano@4.1.11 @rails/webpacker@5.4.2 requires postcss@^7.0.26 via postcss-flexbugs-fixes@4.2.1 @rails/webpacker@5.4.2 requires postcss@^7.0.1 via postcss-import@12.0.1 @rails/webpacker@5.4.2 requires postcss@^7.0.0 via a transitive dependency on postcss-loader@3.0.0 @rails/webpacker@5.4.2 requires postcss@^7.0.32 via a transitive dependency on autoprefixer@9.8.8 @rails/webpacker@5.4.2 requires postcss@^7.0.5 via a transitive dependency on css-blank-pseudo@0.1.4 @rails/webpacker@5.4.2 requires postcss@^7.0.6 via a transitive dependency on css-has-pseudo@0.10.0 @rails/webpacker@5.4.2 requires postcss@^7.0.5 via a transitive dependency on css-prefers-color-scheme@3.1.1 @rails/webpacker@5.4.2 requires postcss@^7.0.17 via a transitive dependency on postcss-preset-env@6.7.0 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-attribute-case-insensitive@4.0.2 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-color-functional-notation@2.0.1 @rails/webpacker@5.4.2 requires postcss@^7.0.5 via a transitive dependency on postcss-color-gray@5.0.0 @rails/webpacker@5.4.2 requires postcss@^7.0.14 via a transitive dependency on postcss-color-hex-alpha@5.0.3 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-color-mod-function@3.0.3 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-color-rebeccapurple@4.0.1 @rails/webpacker@5.4.2 requires postcss@^7.0.14 via a transitive dependency on postcss-custom-media@7.0.8 @rails/webpacker@5.4.2 requires postcss@^7.0.17 via a transitive dependency on postcss-custom-properties@8.0.11 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-custom-selectors@5.1.2 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-dir-pseudo-class@5.0.0 @rails/webpacker@5.4.2 requires postcss@^7.0.5 via a transitive dependency on postcss-double-position-gradients@1.0.0 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-env-function@2.0.2 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-focus-visible@4.0.0 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-focus-within@3.0.0 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-font-variant@4.0.1 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-gap-properties@2.0.0 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-image-set-function@3.0.1 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-initial@3.0.4 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-lab-function@2.0.1 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-logical@3.0.0 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-media-minmax@4.0.0 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-nesting@7.0.1 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-overflow-shorthand@2.0.0 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-page-break@2.0.0 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-place@4.0.1 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-pseudo-class-any-link@6.0.0 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-replace-overflow-wrap@3.0.0 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-selector-matches@4.0.0 @rails/webpacker@5.4.2 requires postcss@^7.0.2 via a transitive dependency on postcss-selector-not@4.0.1 @rails/webpacker@5.4.2 requires postcss@^7.0.26 via postcss-safe-parser@4.0.2

justin808 commented 2 years ago

@ssinghi Per the announcement from @dhh on the README.md, there will be no security updates for JS libraries.

image

Please update to shakapacker and report an issue there if there is one.

https://github.com/shakacode/shakapacker

justin808 commented 2 years ago

Please move these over to https://github.com/shakacode/shakapacker/.