As postcss 7 isn't gonna release a new patch unless with commercial support, we have to patch it ourselves with patch-package.
It is to avoid introducing breaking changes to the downstream vue-loader v15.x.
The patched source code will be shipped with the @vue/component-compiler-utils npm package.
So users can get rid of the vulnerability warnings.
For any potential vulnerabilities in the future, we'll still receive them from GitHub's dependabot. So this change won't affect the overall security of this package.
Backports https://github.com/postcss/postcss/commit/8682b1e4e328432ba692bed52326e84439cec9e4 https://github.com/postcss/postcss/commit/b6f3e4d5a8d7504d553267f80384373af3a3dec5
Fixes https://www.npmjs.com/advisories/1693
As postcss 7 isn't gonna release a new patch unless with commercial support, we have to patch it ourselves with patch-package.
It is to avoid introducing breaking changes to the downstream
vue-loader
v15.x.The patched source code will be shipped with the
@vue/component-compiler-utils
npm package. So users can get rid of the vulnerability warnings.For any potential vulnerabilities in the future, we'll still receive them from GitHub's dependabot. So this change won't affect the overall security of this package.
Fixes #110 Fixes https://github.com/vuejs/vue-cli/issues/6467
Closes #109