bundle icon indicating copy to clipboard operation
bundle copied to clipboard
verified publisher icon koajs

[Snyk] Security upgrade csso from 1.8.2 to 3.0.0

Open fengmk2 opened this issue 2 years ago • 1 comments

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: csso The new version differs by 106 commits.
  • d150161 3.0.0
  • 826a2bf use last stable csstree – 1.0.0-alpha17
  • 7ef0e93 fix a test
  • ddf4757 no global flag
  • 0923082 some tweaks
  • 3342dff update api, complete source map section, formatting
  • 36cdae4 drop bin reference
  • f381f09 change module's layout
  • a67d1e9 hide all csstree methods behind syntax property and update tests
  • 9dbdfc8 move API doc down
  • 44fc320 add source-map as dev-dependency since requires for tests
  • 7b8632a move cli to standalone package (css/csso-cli)
  • ab28815 update years
  • 22ea50f lint tests with jscs
  • f301dcb Minor typos (#322)
  • 58986b7 Space -> WhiteSpace
  • f217458 fix broken tests
  • 0af7c31 Hash -> HexColor
  • 773c377 fix space and universal removal
  • 6aa9e69 align to last changes in css-tree
  • a42433c don't merge loc's (source maps doesn't support it anyway)
  • 6920da5 align to latest changes in csstree
  • 717ba5b align to latest csstree changes
  • 6638b6e use csstree version from master

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

fengmk2 avatar Dec 03 '23 14:12 fengmk2

New dependencies detected. Learn more about Socket for GitHub ↗︎

Packages Version New capabilities Transitives Size Publisher
csso 3.5.1 None +2 1.44 MB lahmatiy

socket-security[bot] avatar Dec 03 '23 14:12 socket-security[bot]