optimize-css-assets-webpack-plugin
optimize-css-assets-webpack-plugin copied to clipboard
NMFR
Could you help remove the vulnerability introduced in your package?
Hi, @NMFR, I stumbled upon a vulnerability introduced by package [email protected]:
Issue Description
When I build my project, I note that [email protected] transitively depends on [email protected]. However, the vulnerability CVE-2021-33587 has been detected in package css-what<5.0.1.
As far as I aware, [email protected] is so popular that a large number of projects depend on it (476,014 downloads per week, about 1,868 downstream projects, e.g., @rails/webpacker 5.4.0, @expo/webpack-config 0.12.82, expo-cli 4.7.3, vuepress 1.8.2, @vuepress/core 1.8.2, @moneygeek/ui-components 1.122.0, imui 2.1.1, maga-components 1.0.0-beta.4, etc.)
In this case, the vulnerability CVE-2021-33587 can be propagated into these downstream projects and expose security threats to them.
As you can see, [email protected] is introduced into the above projects via the following package dependency paths:
(1)@moneygeek/[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected]
(2)[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected]
(3)[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected]
......
I know that it’s kind of you to have removed the vulnerability since [email protected]. But, in fact, the above large amount of downstream projects cannot easily upgrade optimize-css-assets-webpack-plugin from version 5.0.8 to (>=6.0.0): The projects such as docz, which introduced [email protected], are not maintained anymore. These unmaintained packages can neither upgrade optimize-css-assets-webpack-plugin nor be easily migrated by the large amount of affected downstream projects.
Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package [email protected]?
Suggested Solution
Since these inactive projects set a version constaint 5.0.* for optimize-css-assets-webpack-plugin on the above vulnerable dependency paths, if optimize-css-assets-webpack-plugin removes the vulnerability from 5.0.8 and releases a new patched version [email protected], such a vulnerability patch can be automatically propagated into the downstream projects.
The simplest way to remove the vulnerability is to perform the following upgrade in [email protected]:
cssnano ^4.1.10 ➔ ^5.0.0;
Note:
[email protected](>=5.0.0-rc.0) transitively depends on [email protected] which has fixed the vulnerability (CVE-2021-33587).
Of course, you are welcome to share other ways of dealing with the issue.
Thank you for your attention to this issue.
Best regards, Paimon ^_^
