Critical vulnerability in css-loader@0.28.11 - retire.js #732
Description
Retire.js identifies a critical vulnerability when scanning projects with css-loader as dependency.
Retire.js Report:
"results": [ { "component": "macaddress", "version": "0.2.8", "parent": { "component": "uniqid", "version": "4.1.1", "parent": { "component": "postcss-filter-plugins", "version": "2.0.2", "parent": { "component": "cssnano", "version": "3.10.0", "parent": { "component": "css-loader", "version": "0.28.11" "level": 1 }, "level": 2 }, "level": 3 }, "level": 4 }, "level": 5, "vulnerabilities": [ { "info": [ "https://hackerone.com/reports/319467" ], "severity": "critical", "identifiers": { "summary": "Command Injection" } } ] } ]
This vulnerability comes from one of the module subdependencies - macddress
npm ls macaddress
entitlements-ui@0.0.1 /Users/tpopov/Work/PlatformUI
└─┬ css-loader@0.28.11
└─┬ cssnano@3.10.0
└─┬ postcss-filter-plugins@2.0.2
└─┬ uniqid@4.1.1
└── macaddress@0.2.8