svg-sprite-loader icon indicating copy to clipboard operation
svg-sprite-loader copied to clipboard

Published 20 hours ago verified publisher icon JetBrains

Regular Expression Denial of Service in postcss (6.0.11)

Open Shramkoweb opened this issue 3 years ago • 2 comments

Do you want to request a feature, report a bug or ask a question? Security issue.

What is the current behavior?

The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /\s sourceMappingURL=(.*).

[email protected] requires postcss@^5.2.17 via [email protected]

Please tell us about your environment:

  • Node.js version: 16
  • webpack version: 4
  • svg-sprite-loader version: 6.0.11
  • OS type & version: macOS

Shramkoweb avatar Jun 13 '22 10:06 Shramkoweb

Did you find a decent fix for this? In the past I managed to override postcss used, but I'm now getting

npm ERR! code EOVERRIDE
npm ERR! Override for postcss@^8.4.16 conflicts with direct dependency

NickWoodward avatar Aug 21 '22 23:08 NickWoodward

Did you find a decent fix for this? In the past I managed to override postcss used, but I'm now getting

npm ERR! code EOVERRIDE
npm ERR! Override for postcss@^8.4.16 conflicts with direct dependency

No. Unfortunately, I am waiting for a fix.

Shramkoweb avatar Aug 22 '22 09:08 Shramkoweb