css-modules-flow-types icon indicating copy to clipboard operation
css-modules-flow-types copied to clipboard

Published 20 hours ago verified publisher icon skovhus

a vulnerability CVE-2020-7598 is introduced in css-modules-flow-types-cli

Open ayaka-kms opened this issue 4 years ago • 1 comments

Hi, a vulnerability CVE-2021-23382 is introduced in css-modules-flow-types-cli via: ● [email protected][email protected][email protected]

css-modules-loader-core is a legacy package. It has not been maintained for about 4 years, and is not likely to be updated. Is it possible to migrate css-modules-loader-core to other package to remediate this vulnerability?

I noticed several migration records for css-modules-loader-core in other js repos, such as

  1. in postcss-modules, version 2.0.0 ➔ 3.0.0, remove css-modules-loader-core via commit
  2. in broccoli-css-modules, version 0.5.0 ➔ 0.5.1, remove css-modules-loader-core via commit

Are there any efforts planned that would remediate this vulnerability or migrate css-modules-loader-core?

Thanks ; )

ayaka-kms avatar Aug 13 '21 15:08 ayaka-kms

Thanks for reporting this.

I'm not actively maintaining this repository, but contributions are more than welcome.

Do you have energy to look into this?

skovhus avatar Aug 13 '21 21:08 skovhus