Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
1 addition
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
8682b1e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
7.x support is over on Jan 1, 2020.
The issue is not so critical (it affects only online tools like CodePen). It is better to use this reason to update to PostCSS 8.
8682b1e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ask Angular 11 to update cssnano.
8682b1e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would this effect any project using editors like monaco-editor which has postcss or other browser based code editors with a dependency on V7 of postcss 💭
8682b1e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@GeorgiosP it affects only use cases when:
In this case, the user can generate special CSS which will take seconds or minutes to compile. An attacker can use it to DoS your servers.
If you can’t update PostCSS, you can add timeout for CSS processing.
8682b1e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ai thanks for the additional context 🙏🏼
8682b1e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how do I upgrade from 8.1.14 to the patched 8.2.10 in my laravel project?
8682b1e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Eagerly waiting for this answer
8682b1e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Sesughter01
yarn upgrade
ornpm update
should update your nested dependencies. But it is better to ask in Laravel community.8682b1e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ai We run a DevSecOps pipeline (gov't work), and these vulns are causing full blockages. Not every plugin is compatible with v8 at the moment. Seems like it's taking the community some time to make the jump. Would you consider cutting a 7.x release for this?
8682b1e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@josephzidell this vulnerability affects only runner (
postcss-loader
,postcss-cli
,gulp-postcss
) and only on web compilers accepting user-generated CSS (like CodePen).PostCSS in plugin dependencies doesn’t affect by this vulnerability.
PostCSS 7 support ended in January 2021.
If you want extended support, you can pay for PostCSS commercial support.
8682b1e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have
8682b1e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand, i have same issue and even more...