Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit issues due to postcss version #151

Closed
FBNitro opened this issue Jan 7, 2022 · 12 comments · Fixed by #201
Closed

Audit issues due to postcss version #151

FBNitro opened this issue Jan 7, 2022 · 12 comments · Fixed by #201
Assignees
@mrmckeb
Labels
enhancement New feature or request
Milestone
v4.2.0

Comments

@FBNitro
Copy link

FBNitro commented Jan 7, 2022
edited

Describe the bug

[ moderate ] Regular Expression Denial of Service in postcss
 vulnerable versions <8.2.13 found in:
 - dependencies: typescript-plugin-css-modules>postcss-filter-plugins>postcss
 - dependencies: typescript-plugin-css-modules>postcss-icss-keyframes>postcss
 - dependencies: typescript-plugin-css-modules>postcss-icss-keyframes>icss-utils>postcss
 - dependencies: typescript-plugin-css-modules>postcss-icss-selectors>postcss
 - dependencies: typescript-plugin-css-modules>postcss-icss-selectors>icss-utils>postcss

To Reproduce
execute yarn or npm audit

Expected behavior
A successful audit

Note: I realize that the postcss-filter-plugin/icss-* modules are way out of date that's the underlying cause... maybe there's another package this could move to.
@jeroentvb jeroentvb mentioned this issue Feb 27, 2022
Closed
@SukkaW
Copy link

SukkaW commented Apr 5, 2022

Note it is not the issue of typescript-plugin-css-modules. It is postcss-icss-keyframes that relies on postcss@6.

@KenjiTakahashi
Copy link

FYI css-modules/postcss-icss-selectors#126
Looks like these libs are dead and should not be used.

@thien-do thien-do mentioned this issue Sep 24, 2022
Open
1 task
@mrmckeb
Copy link
Owner

mrmckeb commented Oct 24, 2022

Thanks, I'll look at replacing this dependency.

@FBNitro
Copy link
Author

FBNitro commented Nov 29, 2022

#115 is now also causing audit issues because it is outdated.

@mrmckeb
Copy link
Owner

mrmckeb commented Dec 4, 2022

Deps are now updated and will be in the release today.

@mrmckeb mrmckeb closed this as completed Dec 4, 2022
@FBNitro
Copy link
Author

FBNitro commented Dec 5, 2022
edited

Sorry @mrmckeb it's still depending on postcss-icss-* and continues to fail audit checks with the latest version.

Can you reopen this please?

Version 4.1.1:

[critical] loader-utils: Prototype pollution in webpack loader-utils (1084924)
typescript-plugin-css-modules>postcss-icss-selectors>generic-names>loader-utils

As mentioned above, post-icss-selectors should not be used:
css-modules/postcss-icss-selectors#126

@FBNitro FBNitro mentioned this issue Dec 7, 2022
Closed
@mrmckeb mrmckeb reopened this Dec 11, 2022
@mrmckeb
Copy link
Owner

mrmckeb commented Dec 11, 2022
edited

Sorry, I was closing off a bunch of issues at once and didn't read the initial post in this issue correctly at the time (as I'd updated PostCSS).

Looking at the advisory, I don't think it is an immediate risk, but I understand the desire to deal with it ASAP:
GHSA-566m-qj78-rww5

This project predates the comment you mentioned, which is why it uses postcss-icss-selectors, however the refactor should allow us to remove that package.

Unfortunately this is a fairly big rewrite. I hope to have it finished, tested and shipped in the next few weeks. It looks like all of the packages you mentioned have been abandoned unfortunately, so I'll need to fork those or rewrite the functionality if I can't find suitable replacements.

@mrmckeb
Copy link
Owner

mrmckeb commented Dec 11, 2022

Looking at the plugins in more detail, I'm most concerned around postcss-filter-plugins which may be a feature we have to drop for now as there aren't any obvious replacements.

@GZLiew
Copy link

GZLiew commented Feb 2, 2023

is this fix still ongoing ? do you need any help ? @mrmckeb

@243083df
Copy link

Can we just copy they sources and update deps like that css-modules/postcss-icss-selectors#128?
hey have MIT license.

@mrmckeb
Copy link
Owner

mrmckeb commented Feb 18, 2023

Hi there, I'm working on this over this weekend. I'll remove these packages completely.

Sorry, it's hard to find large chunks of time for work like this outside of my other job, and life. I understand this is a big issue for some people and will aim to get it done this weekend.

@mrmckeb mrmckeb self-assigned this Feb 18, 2023
@mrmckeb mrmckeb added the enhancement New feature or request label Feb 18, 2023
@mrmckeb mrmckeb added this to the v4.2.0 milestone Feb 18, 2023
@mrmckeb mrmckeb mentioned this issue Feb 18, 2023
Merged
@mrmckeb
Copy link
Owner

mrmckeb commented Feb 19, 2023

This is now available in v4.2.1:

@schmanu schmanu mentioned this issue Feb 20, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mrmckeb mrmckeb

Labels
enhancement New feature or request
Projects
None yet
Milestone
v4.2.0
6 participants
@KenjiTakahashi @mrmckeb @FBNitro @243083df @SukkaW @GZLiew