New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] : Vulnerabilities on version 4.x.x with PostCSS #1106
Comments
Can't be fixed here, please open an issue in |
@alexander-akait can you elaborate? Apparently cssnano-preset-default requires a vulnerable version of postcss |
We can't use
Maybe |
I have already opened a PR some months ago to switch rollup-plugin-postcss to cssnano 5 egoist/rollup-plugin-postcss#357
A version of cssnano-preset-default without the vulnerable dependency already exists, it's version 5.x.x All PostCSS 7 versions are vulnerable so to avoid the vulnerability you need PostCSS 8. Since cssnano is a suite of PostCSS plugins, dropping the PostCSS 7 dependency requires rewriting it to use the PostCSS 8 API, which breaks compatibility with PostCSS 7. We already did this work and released it with a major version bump as cssnano 5. |
Sorry for jumping into a closed issue, especially if this isn't even the same thing but I'm getting people complaining about vulnerability warnings in Tailwind that appear to come from cssnano but I can't even understand why. Here's a project where I've just pulled in cssnano ^5 and no other packages, and But as far as I understand these vulnerabilities aren't actually present in v5 and up, so I'm not sure why npm reports these warnings or what we can even do on our end to eliminate them? Super confusing stuff. |
@adamwathan Maybe what you're experiencing is in part a different issue than what your users are seeing. I cannot reproduce your example (but it got me worried that I've bungled a release completely!): it looks like an old nightly release of That said, even with what I think are the right packages installed, |
Yeah you're right traced it down to svgo which does currently have an issue. Thank you! |
Has this been resolved? I'm still getting vulnerability warnings from
|
Open an issue in |
Describe the bug
There is a moderate security vulnerability reported by
npm audit
on thepostcss
version used by 4.1.11.This one is related: egoist/rollup-plugin-postcss#373
I know dependants should probably update to 5.x.x, but since 4.1.11 is the most downloaded version, and it seems to be still maintained (given the last release to be fairly recent), I think this bug report is justified.
To Reproduce
Steps to reproduce the behavior:
cssnano
version 4.1.11 to a fresh environment.npm audit
Expected behavior
No security vulnerability warnings.
Screenshots
If applicable, add screenshots to help explain your problem. (from cssnano-playground)
Desktop (please complete the following information):
npx envinfo && npm ls cssnano
hereAdditional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: