laacz
commented
2 years ago Second this. Dependabot alerts are triggering me :)
Open wabuMike opened 2 years ago
laacz
commented
2 years ago Second this. Dependabot alerts are triggering me :)
secondmanveran
commented
2 years ago For the life of me I can't even imagine why it would take 2 months to review a pull request.
🤦🏻
laacz
commented
2 years ago Judging from pull requests and commits acctivity It appears that project is no longer mainained.
FRSgit
commented
2 years ago Hey! I've created PR updating PostCSS usage. Give it a thumbs up - maybe that will give it some traction 🤷
secondmanveran
commented
2 years ago There's already a pull request open. That's the point, it's been open since December.
secondmanveran
commented
2 years ago OH ... it's yours that's open. Yeah I saw that one, hence my original comment.
brianlenz
commented
2 years ago FYI, it looks like the Dependabot alert was updated, and this is no longer a security issue. The updated status shows that it's fixed in 7.0.36:
https://github.com/github/advisory-database/commit/df3034df6abfc28ab60a5a328cf502b0df65dbdb
kingyue737
commented
1 year ago As the SFC compiler for Vue 2.7 now uses PostCSS 8, it make sense to update it.
hackel
commented
8 months ago This issue is back from the dead - https://nvd.nist.gov/vuln/detail/CVE-2023-44270
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
Please consider updating postcss to a version >= 8.2.13 since versions below are affected by Regular Expression Denial of Service. See https://github.com/advisories/GHSA-566m-qj78-rww5 for more information.