bjankord / stylelint-config-sass-guidelines

⚙ A stylelint config inspired by https://sass-guidelin.es/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

PostCSS Upgrade

shamikulamin opened this issue · comments

Hello it seems like today a security vulnerability for PostCSS v7 has been discovered and it looks like it has been resolved in v8.2.10. Is there any plans to update the dependency to a safe version?

Screen Shot 2021-05-10 at 4 43 14 PM

The issue is in a transitive dependency. I need stylelint and stylelint-order to cut new releases that update their postcss version to >=8.2.10

stylelint@13.13.1 requires postcss@^7.0.32 via autoprefixer@9.8.6
stylelint@13.13.1 requires postcss@^7.0.14 via postcss-less@3.1.4
stylelint@13.13.1 requires postcss@^7.0.26 via postcss-safe-parser@4.0.2
stylelint@13.13.1 requires postcss@^7.0.21 via postcss-sass@0.4.4
stylelint@13.13.1 requires postcss@^7.0.6 via postcss-scss@2.1.1
stylelint@13.13.1 requires postcss@^7.0.2 via sugarss@2.0.0
stylelint@13.13.1 requires postcss@^7.0.35

stylelint-order@4.1.0 requires postcss@^7.0.17 via postcss-sorting@5.0.1
stylelint-order@4.1.0 requires postcss@^7.0.31

More info on the postcss upgrade in stylelint can be found here: stylelint/stylelint#4942 (comment)

PostCSS v7 was released with back-port of ReDoS fix. So stylelint users on current version of stylelint should see warning go away after running npm audit fix (it could take few days until npm audit will know about the fix).

https://twitter.com/PostCSS/status/1403351574110511106

This should be resolved in v8.0.0 and the soon to be released v9.0.0 versions of this project.