CVE-2021-23382 Might apply?

[prb112]

Dear SCSS-Tokenizer Team,

In scanning my node_modules for Regular Expression Denial of Service (ReDoS) Affecting org.webjars.npm:postcss and CVE-2021-23382

I encountered scss-tokenizer with previous-map.js with the same style regular expression that is cited in the CVE commit.

postcss

    return sourceMapString.match(/\/\*\s*# sourceMappingURL=(.*)\*\//)[1].trim()

scss-tokenizer

let match = css.match(/\/\*\s*# sourceMappingURL=(.*)\s*\*\//)

It's slightly different, and maybe worth your time to double check.

I hope this helps.

[Dipenduroy]

Do we have any blockers to merge the PR? Awaiting the CVE fix

[xzyfer]

Fixed in v0.4.3