alexander-akait
commented
8 months ago Hello, you can update deps locally, we have postcss in peerDependencies to support v7 and v8 and we use ^ to allow installing new versions with fixes, so plese update your deps locally, thank you, feel free to feedback
Bug report
PostCSS line return parsing error https://github.com/advisories/GHSA-7fh5-64p2-3v2j
Actual Behavior
It has dependency of "postcss": "^8.4.29", which is <8.4.31 according to https://github.com/advisories/GHSA-7fh5-64p2-3v2j
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
Expected Behavior
Update the dependency of "postcss": "^8.4.29", to "^8.4.31"
How Do We Reproduce?
It already has a vulnerability CVE-2023-44270
Please paste the results of
npx webpack infohere, and mention other relevant information