Regular Expression Denial of Service in postcss (6.0.11)

[Shramkoweb]

Do you want to request a feature, report a bug or ask a question?
Security issue.

What is the current behavior?

The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /\s sourceMappingURL=(.*).

svg-sprite-loader@6.0.11 requires postcss@^5.2.17 via svg-baker@1.7.0

Please tell us about your environment:

• Node.js version: 16
• webpack version: 4
• svg-sprite-loader version: 6.0.11
• OS type & version: macOS

[NickWoodward]

Did you find a decent fix for this? In the past I managed to override postcss used, but I'm now getting

npm ERR! code EOVERRIDE
npm ERR! Override for postcss@^8.4.16 conflicts with direct dependency

[Shramkoweb]

Did you find a decent fix for this? In the past I managed to override postcss used, but I'm now getting

npm ERR! code EOVERRIDE
npm ERR! Override for postcss@^8.4.16 conflicts with direct dependency

No. Unfortunately, I am waiting for a fix.