update postcss #44

sotten · 2021-05-19T18:05:59Z

Please Update postcss/postcss to the newest version (8.2.15).
postcss/postcss#1567

andyjansson · 2021-05-19T18:38:28Z

We don't actually include postcss as a dependency, so there's nothing for us to update here. postcss is listed as a peer dependency, meaning that the plugin will work for any version you pair it with, as long as it's within the same semver range (which happens to be 8.0.0 and up).

Also, how does the PR relate to your request?

sotten · 2021-05-19T18:51:02Z

The PR Fixed a Regular Expression Denial of Service. See https://www.npmjs.com/advisories/1693
and https://nvd.nist.gov/vuln/detail/CVE-2021-23382

If I understand it correctly, package-lock.json sets the dependency to a fixed version. The dependabot has also changed the dependency as in #43.

andyjansson · 2021-05-19T19:09:02Z

You seem to be under a misapprehension of how package-lock.json works. Whatever version we have set in our repository does not apply to you as a consumer; You have your own package-lock.json that dictate what version will be installed.

sotten · 2021-05-19T19:24:40Z

Learned something again. Sorry for the issue and thanks for the explanation.

sotten closed this as completed May 19, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

update postcss #44

update postcss #44

sotten commented May 19, 2021

andyjansson commented May 19, 2021 •

edited

sotten commented May 19, 2021 •

edited

andyjansson commented May 19, 2021

sotten commented May 19, 2021

update postcss #44

update postcss #44

Comments

sotten commented May 19, 2021

andyjansson commented May 19, 2021 • edited

sotten commented May 19, 2021 • edited

andyjansson commented May 19, 2021

sotten commented May 19, 2021

andyjansson commented May 19, 2021 •

edited

sotten commented May 19, 2021 •

edited