[Bug] : Vulnerabilities on version 4.x.x with PostCSS

[beruic]

Describe the bug

There is a moderate security vulnerability reported by npm audit on the postcss version used by 4.1.11.

This one is related: egoist/rollup-plugin-postcss#373

I know dependants should probably update to 5.x.x, but since 4.1.11 is the most downloaded version, and it seems to be still maintained (given the last release to be fairly recent), I think this bug report is justified.

To Reproduce
Steps to reproduce the behavior:

1. Install cssnano version 4.1.11 to a fresh environment.
2. Run npm audit

Expected behavior
No security vulnerability warnings.

Screenshots
If applicable, add screenshots to help explain your problem. (from cssnano-playground)

Desktop (please complete the following information):

• CSSNANO Version [e.g. 22]
• Plugins/presets versions
• Add the output of npx envinfo && npm ls cssnano here

$ npx envinfo
npx: installed 1 in 0.883s

  System:
    OS: Linux 5.8 Ubuntu 20.04.2 LTS (Focal Fossa)
    CPU: (8) x64 Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz
    Memory: 336.23 MB / 23.24 GB
    Container: Yes
    Shell: 5.8 - /usr/bin/zsh
  Binaries:
    Node: 12.22.1 - /usr/bin/node
    npm: 6.14.12 - /usr/bin/npm
  Managers:
    Apt: 2.0.5 - /usr/bin/apt
    Gradle: 4.4.1 - /usr/bin/gradle
  Utilities:
    Make: 4.2.1 - /usr/bin/make
    GCC: 9.3.0 - /usr/bin/gcc
    Git: 2.31.1 - /usr/bin/git
    Ninja: 1.10.0 - /usr/bin/ninja
    FFmpeg: 4.2.4 - /usr/bin/ffmpeg
  Servers:
    Nginx: 1.18.0 - /usr/sbin/nginx
  Virtualization:
    Docker: 20.10.2 - /usr/bin/docker
  IDEs:
    Nano: 4.8 - /usr/bin/nano
    VSCode: 1.56.2 - /usr/bin/code
  Languages:
    Bash: 5.0.17 - /usr/bin/bash
    Perl: 5.30.0 - /usr/bin/perl
    Python: 3.8.5 - /usr/bin/python
    Python3: 3.8.5 - /usr/bin/python3
  Databases:
    MySQL: 0.20.04.1 - /usr/bin/mysql
  Browsers:
    Chrome: 90.0.4430.212
    Firefox: 88.0.1

$ npm ls cssnano
safeex_cloud@ /home/jmk/git/safeex-cloud-app
└─┬ rollup-plugin-postcss@4.0.0
  └── cssnano@4.1.11 

Additional context
Add any other context about the problem here.

[alexander-akait]

Can't be fixed here, please open an issue in rollup-plugin-postcss or in postcss

[michael-goss]

@alexander-akait can you elaborate? Apparently cssnano-preset-default requires a vulnerable version of postcss

[alexander-akait]

We can't use postcss v5 for cssnano v4 because it is breaking change, here two solutions:

• migrate on cssnano v5 (please open an issue in rollup-plugin-postcss)
• backport vulnerable fix to postcss v4 (please open an issue in postcss)

Maybe postcss already fix this issue, so you need update your deps (npm update)

[ludofischer]

I have already opened a PR some months ago to switch rollup-plugin-postcss to cssnano 5 egoist/rollup-plugin-postcss#357

@alexander-akait can you elaborate? Apparently cssnano-preset-default requires a vulnerable version of postcss

A version of cssnano-preset-default without the vulnerable dependency already exists, it's version 5.x.x

All PostCSS 7 versions are vulnerable so to avoid the vulnerability you need PostCSS 8. Since cssnano is a suite of PostCSS plugins, dropping the PostCSS 7 dependency requires rewriting it to use the PostCSS 8 API, which breaks compatibility with PostCSS 7. We already did this work and released it with a major version bump as cssnano 5.

[adamwathan]

Sorry for jumping into a closed issue, especially if this isn't even the same thing but I'm getting people complaining about vulnerability warnings in Tailwind that appear to come from cssnano but I can't even understand why.

Here's a project where I've just pulled in cssnano ^5 and no other packages, and npm audit shows 6 high severity vulnerabilities:

But as far as I understand these vulnerabilities aren't actually present in v5 and up, so I'm not sure why npm reports these warnings or what we can even do on our end to eliminate them? Super confusing stuff.

[ludofischer]

@adamwathan Maybe what you're experiencing is in part a different issue than what your users are seeing. I cannot reproduce your example (but it got me worried that I've bungled a release completely!): it looks like an old nightly release of cssnano-preset-default ended up in the dependency tree. But when I install cssnano@^5.0.5. I receive cssnano-preset-default^5.1.2 (package.json in cssnano@5.0.5 does specify preset-default^5.1.2)

That said, even with what I think are the right packages installed, npm audit does tell me about 1 (not 6) high severity vulnerability in a svgo dependency
cssnano > cssnano-preset-default > postcss-svgo > svgo > css-select > css-what
That's credible as svgo uses css-select ^3.1.2 but the there's a css-select 4 out (which updates css-what). It looks like the only solution is to update the svgo dependency.

[adamwathan]

Yeah you're right traced it down to svgo which does currently have an issue. Thank you!

[AlanBreck]

Has this been resolved? I'm still getting vulnerability warnings from npm audit:

css-what  <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix --force`
Will install cssnano@3.10.0, which is a breaking change
node_modules/css-what
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  node_modules/css-select
    svgo  >=1.0.0
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  >=4.0.0-nightly.2020.1.9
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  *
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          cssnano  >=4.0.0-nightly.2020.1.9
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano

6 high severity vulnerabilities

[alexander-akait]

Open an issue in css-what