Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Postcss 8 #198

Closed
stof opened this issue Apr 21, 2021 · 11 comments · Fixed by #224
Closed

Postcss 8 #198

stof opened this issue Apr 21, 2021 · 11 comments · Fixed by #224
Labels
discussion
Projects
version 5
Milestone
v5

Comments

@stof
Copy link

stof commented Apr 21, 2021

It would be great if the resolve-url-loader could be migrated to use postcss 8. Postcss 7 is not maintained anymore.
@SymbioticKilla
Copy link

It has also CVE before 8.2.10

@bholloway bholloway pinned this issue Apr 30, 2021
@bholloway
Copy link
Owner

I'm going to schedule this for v5 which 🤞 should happen in a few weeks.

The plan is to release and immediately supersede v4 with a v5. For v5 we can increase the node engine requirement and bump postcss to the latest version.

@bholloway bholloway added this to Duplicate / Discussion in version 5 Apr 30, 2021
@bholloway
Copy link
Owner

Note that discussion is split across this issue and PR #169

@bholloway bholloway mentioned this issue May 1, 2021
Merged
@IronGeek
Copy link

FWIW, this just popup on my screen:

Overview
postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Remediation
Upgrade to version 8.2.10 or later

Resources
https://www.npmjs.com/advisories/1693

@taisph
Copy link

taisph commented May 11, 2021

CVE-2021-23368 for reference.

blattersturm added a commit to citizenfx/fivem that referenced this issue May 13, 2021
@blattersturm
fix(ext/cfx-ui): silence github security warnings
1900c5e 
We get postcss warnings instead pending bholloway/resolve-url-loader#198 dependency update.
@bholloway bholloway modified the milestones: v5, v4 May 20, 2021
@bholloway bholloway mentioned this issue May 20, 2021
Merged
@bholloway
Copy link
Owner

bholloway commented May 20, 2021
edited

There is an early v5 alpha v5 beta now available using Postcss 8, released as resolve-url-loader@next. Please give it a try. 🙏

I will leave this issue open until we have full release of resolve-url-loader@5.0.0.

If you have tried the alpha and it works for you please 👍 here.

@bholloway
Copy link
Owner

bholloway commented May 20, 2021
edited

Crossposting from #169 the alternative interrum fix is to force postcss@8 with resolutions field.

This was referenced May 20, 2021
Closed
Closed
@bholloway bholloway mentioned this issue Jun 8, 2021
Closed
@SymbioticKilla SymbioticKilla mentioned this issue Jun 11, 2021
Closed
@bdenhollander
Copy link

postcss released a backported fix as 7.0.36, currently waiting on the CVE to be updated.
postcss/postcss#1574 (comment)

Can the dependency in v3 be upgraded to this version?

@bdenhollander
Copy link

Can the dependency in v3 be upgraded to this version?

3.1.4 was released with the upgraded dependency: #210

@arborrow
Copy link

Just noting https://nvd.nist.gov/vuln/detail/CVE-2021-23382 - it would be good to get things updated. Hopefully with the work on v5 something can be released in the not too distant future.

CVE-2021-23382 - moderate severity
Vulnerable versions: < 8.2.13
Patched version: 8.2.13

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /\s sourceMappingURL=(.*).

@arborrow arborrow mentioned this issue Jan 13, 2022
Closed
@bholloway bholloway linked a pull request Jan 17, 2022 that will close this issue
Release v5 #224
Merged
@bholloway
Copy link
Owner

Released resolve-url-loader@5.0.0 as dist-tag latest.
Removed dist-tag next.

@bholloway bholloway moved this from Duplicate / Discussion to released in version 5 Jan 17, 2022
@trompette trompette mentioned this issue Jan 30, 2022
Closed
@wadakatu wadakatu mentioned this issue Feb 6, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion
Projects
No open projects
version 5
released
Milestone
v5
Development

Successfully merging a pull request may close this issue.

Release v5 bholloway/resolve-url-loader
7 participants
@stof @arborrow @taisph @IronGeek @bholloway @bdenhollander @SymbioticKilla