rollup-plugin-styles posibility of a 3.14.2 release for rollup-plugin-styles with less strict cssnano version dependency

Hi, @izevo @Anidetrix,

I noticed that a vulnerability is introduced in [email protected]: Vulnerability CVE-2021-33587 affects package css-what (versions:<5.0.1): https://snyk.io/vuln/SNYK-JS-CSSWHAT-1298035 The above vulnerable package is referenced by [email protected] via: [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected]

If [email protected].* removes the vulnerable package from the above version, then its fixed version can help downstream users decrease their pain.

Given the large number of downstream users, could you help update your package to remove the vulnerability from [email protected] ?

In [email protected], maybe you can kindly try to perform the following upgrade : cssnano ^4.1.10 ➔ ^5.0.0;

Note: [email protected](>=5.0.0-rc.0) transitively depends on [email protected] which has fixed the vulnerability CVE-2021-33587

Thank you for your attention to this issue and welcome to share other ways to resolve the issue.

Best regards, ^_^

Sep 02 '21 06:09 bestrivens001

@Anidetrix I see that [email protected] has been updated in main branch, can you release a new npm version?

Sep 04 '21 03:09 zhihuahuang

I would love a new release as well. Is this something I can help with?

Nov 08 '21 12:11 peschee