Dependent PostCSS line return parsing error
basurohit77 opened this issue · comments
Bug report
PostCSS line return parsing error
GHSA-7fh5-64p2-3v2j
Actual Behavior
It has dependency of "postcss": "^8.4.29", which is <8.4.31 according to
GHSA-7fh5-64p2-3v2j
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
Expected Behavior
Update the dependency of "postcss": "^8.4.29", to "^8.4.31"
How Do We Reproduce?
It already has a vulnerability
CVE-2023-44270
Please paste the results of npx webpack info
here, and mention other relevant information
Hello, you can update deps locally, we have postcss
in peerDependencies
to support v7 and v8 and we use ^
to allow installing new versions with fixes, so plese update your deps locally, thank you, feel free to feedback