Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade css-select from ^3.1.2 to ^4.1.3 #1485

Merged
merged 2 commits into from
Jun 26, 2021
Merged

Upgrade css-select from ^3.1.2 to ^4.1.3 #1485

merged 2 commits into from
Jun 26, 2021

Conversation

ericcornelissen
Copy link
Contributor

@ericcornelissen ericcornelissen commented Jun 5, 2021

Resolves #1488

This updates the css-select dependency from ^3.1.2 to ^4.1.2 in order to get the transitive dependency css-what updated to 5.0.1, which was vulnerable to ReDoS up-to-and-including 5.0.0. Given my understanding of SVGO, this means SVGO may be vulnerable as well when provided with a carefully crafted SVG containing CSS.

Alternatively, css-select can be set to as low as ^4.0.0 in order to get css-what updated to an appropriate version. I just set it to ^4.1.2 as that is the latest version as of opening this Pull Request.

As this concerns a vulnerable dependency that is also used in the latest SVGO v1, ideally SVGO v1 should also be patched. I'm not sure what the procedure is for updating SVGO v1 though...

@sgerrand
Copy link

sgerrand commented Jun 8, 2021

👋 @TrySound, are you able to review this change?

@underoot
Copy link

underoot commented Jun 8, 2021

It's worth also to upgrade it in 1.* version, because some of the projects depend on this version and it will be hard to upgrade it without breaking of API (i.e. look into gregberge/svgr#654)

@zackdotcomputer
Copy link

zackdotcomputer commented Jun 9, 2021

Noting that this "Resolves #1488" in the hopes that that magic phrase will close the issue when/if this get merged (I know that works if it's in the description of a PR, guess we'll find out if it works if its in a comment...)

Edit: RIP me - it doesn't

@zackdotcomputer
Copy link

FYI the breaking changes from css-select 3.1.2 -> 4.1.2 changelog (for someone with better knowledge of this codebase to be able to more easily review):

  • Several built-in pseudos are now stricter. This aligns them with the CSS spec, but might lead to changes in results.
  • In HTML, attributes are now automatically considered case-insensitive, based on the HTML spec. Some selectors might now match more elements.
  • Removed strict option.

@aleclarson
Copy link

@underoot This is a breaking change, as it affects CSS selectors in <style> elements, which requires svgo to bump to v3 major. Therefore, patching v1 is not viable.

@aleclarson
Copy link

For Yarn users (in your package.json):

"resolutions": {
  "**/css-what": "^5.0.0"
}

This should be safe to do, as it avoids any of the breaking changes introduced in css-select@4.

@ericcornelissen
Copy link
Contributor Author

This is a breaking change, as it affects CSS selectors in <style> elements, which requires svgo to bump to v3 major. Therefore, patching v1 is not viable.

Given that the changes are related to spec compliance (and the strict option doesn't seem to be used by SVGO) I'd be inclined to disagree. If you're using non-standard CSS selectors I think it's fair that SVGO doesn't support that out-of-the-box, and the fact that it did could be considered a bug. I think it's more important people on older versions of SVGO can easily update, than that a presumably small minority that uses non-standard selectors isn't bothered by an update.

Though of course it's up to the SVGO maintainers to decide.

Edit: RIP me - it doesn't

Did it for you 😉

package.json Outdated Show resolved Hide resolved
@ericcornelissen ericcornelissen changed the title Upgrade css-select from ^3.1.2 to ^4.1.2 Upgrade css-select from ^3.1.2 to ^4.1.3 Jun 17, 2021
@ericcornelissen ericcornelissen deleted the deps/update-css-select branch June 26, 2021 09:22
ludofischer pushed a commit to cssnano/cssnano that referenced this pull request Jun 27, 2021
svgo version 2.3.1 bumps transitive dependency css-what from 4.x to 5.x to address a ReDoS security vulnerability present in versions prior to this. (See svg/svgo/pull/1485)
@ericcornelissen
Copy link
Contributor Author

As this concerns a vulnerable dependency that is also used in the latest SVGO v1, ideally SVGO v1 should also be patched. I'm not sure what the procedure is for updating SVGO v1 though...

@TrySound, do you have any comment in this regard?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

"High" Severity Audit from dependency css-select and css-what