Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit reports RegEx vulnerability in dependency (clean-css) #26

Closed
heikkipora opened this issue Feb 19, 2019 · 3 comments · Fixed by #37
Closed

npm audit reports RegEx vulnerability in dependency (clean-css) #26

heikkipora opened this issue Feb 19, 2019 · 3 comments · Fixed by #37

Comments

@heikkipora
Copy link

Need to update clean-css:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ clean-css                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.1.11                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ less-plugin-clean-css                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ less-plugin-clean-css > clean-css                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/785                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
@heikkipora
Copy link
Author

It's a breaking update so likely needs more than a bit of work

@heikkipora heikkipora changed the title npm audit reports vulnerability in dependency (clean-css) npm audit reports RegEx vulnerability in dependency (clean-css) Feb 19, 2019
@alallier alallier mentioned this issue Feb 26, 2019
Closed
@martonx
Copy link

martonx commented Mar 25, 2019

+1 to update dependencies

@joeyparrish
Copy link

Would be fixed by upgrade proposed in #18, but there are breaking changes in the API: https://github.com/jakubpawlowicz/clean-css/blob/master/README.md#important-40-breaking-changes

Perhaps the vulnerable regex could be patched in clean-css v3 as well, and we could make a trivial update to a fixed version of v3?

@joeyparrish joeyparrish mentioned this issue May 14, 2019
Closed
@derTobsch derTobsch mentioned this issue Apr 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade clean css and add basic tests derTobsch/less-plugin-clean-css
3 participants
@heikkipora @martonx @joeyparrish