less-plugin-clean-css icon indicating copy to clipboard operation
less-plugin-clean-css copied to clipboard

Published 20 hours ago verified publisher icon less

npm audit reports RegEx vulnerability in dependency (clean-css)

Open heikkipora opened this issue 6 years ago • 3 comments

Need to update clean-css:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ clean-css                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.1.11                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ less-plugin-clean-css                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ less-plugin-clean-css > clean-css                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/785                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

heikkipora avatar Feb 19 '19 07:02 heikkipora

It's a breaking update so likely needs more than a bit of work

heikkipora avatar Feb 19 '19 07:02 heikkipora

+1 to update dependencies

martonx avatar Mar 25 '19 13:03 martonx

Would be fixed by upgrade proposed in #18, but there are breaking changes in the API: https://github.com/jakubpawlowicz/clean-css/blob/master/README.md#important-40-breaking-changes

Perhaps the vulnerable regex could be patched in clean-css v3 as well, and we could make a trivial update to a fixed version of v3?

joeyparrish avatar May 14 '19 18:05 joeyparrish