JS webpacker tooling impacted by transitive dependency postcss CVE-2021-23368 and is-svg CVE-2021-28092. @rails/webpacker doesn't currently have a backport.
Scope:
JS packages used during build and deployment of Avalon; unused within running application. Supply chain attack vector
Impact:
Regular Expression Denial of Service (ReDoS) - will cause webpacker and thus application deployment to fail; no impact to existing deployment
JS webpacker tooling impacted by transitive dependency postcss CVE-2021-23368 and is-svg CVE-2021-28092. @rails/webpacker doesn't currently have a backport.
Scope:
Impact:
Todo: