update clean-css 5.2.0 to ^5.2.0

terser / html-minifier-terser

actively maintained fork of html-minifier - minify HTML, CSS and JS code using terser - supports ES6 code

https://terser.org/html-minifier-terser

MIT License

385 stars 32 forks source link

update clean-css 5.2.0 to ^5.2.0 #140

Closed Tobias-Beck closed 1 year ago

Tobias-Beck commented 1 year ago

clean-css 5.2.0 has security issues. https://www.huntr.dev/bounties/6937a4ed-e41f-4fff-8f9b-8bcbed0f616e/ The issue is fixed in 5.2.2, please update to ^5.2.0 or 5.2.2.

DanielRuf commented 1 year ago

Hi @Tobias-Beck,

thanks for reporting this.

@sibiraj-s will handle and schedule a new release then.

sibiraj-s commented 1 year ago

Thanks for reporting this @Tobias-Beck . Unfortunately this will break things as v5.3 and above in clean-css has breaking changes, hence pinned.

I would recommend rather than adding a caret(^), update the dependency by pinning it to v5.2.2 and also commit the lock file. I will be able make a minor patch release then.

DanielRuf commented 1 year ago

Replaced by https://github.com/terser/html-minifier-terser/pull/148