Advisory for v7 #1574
Comments
|
Here's my attempt |
|
Nope. I supported PostCSS 7 for a 6 month after PostCSS 8 support. The support was ended at January 1, 2021. Only commercial support is possible right now. |
|
Ok, feel free to close |
|
react-scripts relies on v7, so this is probably breaking a ton of peoples environments, and there is no straightforward upgrade path. |
|
@stephane-arista yeap, I know. I even created a PR to CRA with PostCSS 8 and their t help them in migration. Unfortunately, CRA support is very bad. It will be unfair for me to work more because CRA team want to work less. Force, CRA team to migrate ASAP since they didn’t do it for almost a year and didn’t create an upgrade path for their users. |
|
Here's the PR for reference facebook/create-react-app#9716 I hoped it would include some replacement for |
|
So what's the problem with just patching v7, since it's a very minor fix. (from my quick look) |
Releasing and then supporting the issue. In open source you need about 3-5x more work in additional to writing a code. Everything can go bad, and then I will fix instead of the sleep (for instance, I didn’t sleep well today because I fixed bug after |
|
@ai There are still lots of libraries referenced directly or indirectly by CRA that are yet to upgrade to v8 and I don't think it's likely that this will happen any time soon. By not patching v7 people are forced to find workarounds, the most common will be that they just disable npm audit either altogether or just for postcss (like @hammerdr does here) which isn't good for anyone. What is the solution, here? |
|
You have a section in README that looks like a list of recommended plugins, and it has quite a number of packages depending on the unsupported v7. stylelint and postcss-preset-env are some notable examples. Should they be removed from the list or marked somehow? |
|
@dezfowler update these libraries to PostCSS 8. It is unfair to ask me to work more, because somebody else (CRA, for instance) want to work less and ignored PRs with PostCSS update. BTW, |
The better way is helping them in migration by sending PRs. But if you will find a dead plugin, which will ignore PRs, I will remove it from the list. |
|
@ai I'm not asking you to work more but we do need to find a solution. Unfortunately a successful open source project can be both a blessing and a curse for a maintainer. Those ~10 other libraries migrating to v8 is not a simple ask - this issue coming up will no doubt accelerate that migration but it's a process that's going to take a while when there are chains of dependencies involved. I appreciate that you personally no longer want to invest time supporting v7 however are there other options? Are you the sole person with commit/publish rights or are there other core contributors? |
|
@dezfowler finding a proper way and compromises is a hard work too. I have a big threat about PostCSS 8 development on Twitter and got a very small feedback from the community. The best way to discuss migration was there. Lack of attention from the community (for many initiatives in additional to PostCSS 8 threat) destroy my motivation of putting extra attention to PostCSS (as I did for PostCSS 1-6 releases). With lack of motivation I will do the simplest steps for me. 6 months of PostCSS 7 support is the simplest way for me. If I fix this issue in PostCSS 7, will stop the migration, and you come back for another PostCSS 7 issue (for instance, Node.js 18 compatibility issues). I know that you all want simple solutions. But I tired to provide excellent support to PostCSS/Autoprefixer/Browerslist/caniue-lite without a proper attention from the community to my work. I now have another open source projects and passions, which require my time. |
|
@ai Totally understand. I can see how, because of the way PostCSS is used in a blackbox way by other projects like CRA the wider community is not aware or appreciative of the major role it plays. It's clear you've made every attempt to reach out to the larger projects dependent on PostCSS and help them with migration - I don't think you can really be expected to do much more than you have on that front. Have you looked at or considered engaging with the OpenJS Foundation? They are able to help with organising maintainers, contributors, funding, etc for projects like yours. |
|
@dezfowler thanks, I put an ink to my To-do app and will review their Hosted Project submission process when I will finish Logux release process. |
|
This issue is also affecting @rails/webpacker: rails/webpacker#3017 |
|
Stylelint is still in progress of migration to v8 stylelint/stylelint#4942 and they mentioned it won't be easy. This seems a bit weird as the suggested fix is to cherry-pick 2 lines of code but it can't be done per above comment. |
Fix Strategy: Replace `(.*)` with `(?:(?!sourceMappingURL=).)*`
Fixes a high severity vulnerability and a few moderate ones. Unfortunately, this doesn't resolve vulnerabilities caused by dependencies to an older version of PostCSS [more here](postcss/postcss#1574).
|
I backported ReDoS fix from 8.x to 7.0.36 and ask to change CVE (it could take a few days). I fixed it only because other big open source project which I respect did it. I will not do it again. Migrate from PostCSS 7 and donate to awesome (but very underfunded) Stylelint and cssnano to help them in PostCSS 8 migration. Our entire industry is based on their work: |
|
For some reason, GHSA-566m-qj78-rww5 has only just now gotten published and is missing the information about the v7 fix, despite all the linked reference material reflecting it. |
Would it be possible or is there a plan to patch v7 for the following advisory?
https://www.npmjs.com/advisories/1693
The text was updated successfully, but these errors were encountered: