typescript-plugin-css-modules icon indicating copy to clipboard operation
typescript-plugin-css-modules copied to clipboard

Published 20 hours ago verified publisher icon mrmckeb

Audit issues due to postcss version

Open FBNitro opened this issue 3 years ago • 2 comments

Describe the bug

[ moderate ] Regular Expression Denial of Service in postcss
 vulnerable versions <8.2.13 found in:
 - dependencies: typescript-plugin-css-modules>postcss-filter-plugins>postcss
 - dependencies: typescript-plugin-css-modules>postcss-icss-keyframes>postcss
 - dependencies: typescript-plugin-css-modules>postcss-icss-keyframes>icss-utils>postcss
 - dependencies: typescript-plugin-css-modules>postcss-icss-selectors>postcss
 - dependencies: typescript-plugin-css-modules>postcss-icss-selectors>icss-utils>postcss

To Reproduce execute yarn or npm audit

Expected behavior A successful audit

Note: I realize that the postcss-filter-plugin/icss-* modules are way out of date that's the underlying cause... maybe there's another package this could move to.

FBNitro avatar Jan 07 '22 19:01 FBNitro

Note it is not the issue of typescript-plugin-css-modules. It is postcss-icss-keyframes that relies on postcss@6.

SukkaW avatar Apr 05 '22 19:04 SukkaW

FYI https://github.com/css-modules/postcss-icss-selectors/issues/126 Looks like these libs are dead and should not be used.

KenjiTakahashi avatar Apr 13 '22 19:04 KenjiTakahashi

Thanks, I'll look at replacing this dependency.

mrmckeb avatar Oct 24 '22 07:10 mrmckeb

#115 is now also causing audit issues because it is outdated.

FBNitro avatar Nov 29 '22 16:11 FBNitro

Deps are now updated and will be in the release today.

mrmckeb avatar Dec 04 '22 00:12 mrmckeb

Sorry @mrmckeb it's still depending on postcss-icss-* and continues to fail audit checks with the latest version.

Can you reopen this please?

Version 4.1.1:

[critical] loader-utils: Prototype pollution in webpack loader-utils (1084924) typescript-plugin-css-modules>postcss-icss-selectors>generic-names>loader-utils

As mentioned above, post-icss-selectors should not be used: https://github.com/css-modules/postcss-icss-selectors/issues/126

FBNitro avatar Dec 05 '22 21:12 FBNitro

Sorry, I was closing off a bunch of issues at once and didn't read the initial post in this issue correctly at the time (as I'd updated PostCSS).

Looking at the advisory, I don't think it is an immediate risk, but I understand the desire to deal with it ASAP: https://github.com/advisories/GHSA-566m-qj78-rww5

This project predates the comment you mentioned, which is why it uses postcss-icss-selectors, however the refactor should allow us to remove that package.

Unfortunately this is a fairly big rewrite. I hope to have it finished, tested and shipped in the next few weeks. It looks like all of the packages you mentioned have been abandoned unfortunately, so I'll need to fork those or rewrite the functionality if I can't find suitable replacements.

mrmckeb avatar Dec 11 '22 06:12 mrmckeb

Looking at the plugins in more detail, I'm most concerned around postcss-filter-plugins which may be a feature we have to drop for now as there aren't any obvious replacements.

mrmckeb avatar Dec 11 '22 06:12 mrmckeb

is this fix still ongoing ? do you need any help ? @mrmckeb

GZLiew avatar Feb 02 '23 23:02 GZLiew

Can we just copy they sources and update deps like that https://github.com/css-modules/postcss-icss-selectors/pull/128? hey have MIT license.

243083df avatar Feb 16 '23 09:02 243083df

Hi there, I'm working on this over this weekend. I'll remove these packages completely.

Sorry, it's hard to find large chunks of time for work like this outside of my other job, and life. I understand this is a big issue for some people and will aim to get it done this weekend.

mrmckeb avatar Feb 18 '23 01:02 mrmckeb

This is now available in v4.2.1:

  • https://github.com/mrmckeb/typescript-plugin-css-modules/releases/tag/v4.2.1
  • https://github.com/mrmckeb/typescript-plugin-css-modules/releases/tag/v4.2.0

mrmckeb avatar Feb 19 '23 03:02 mrmckeb