Get rid of postcss 7.x

Open max-nextcloud opened this issue 1 year ago • 0 comments

Describe the bug https://github.com/nextcloud/text/security/dependabot/42 reports a regexp DOS in postcss 7.x

We actually have conflicting requirements here:

@vue/[email protected] requires postcss@^7.0.36 via @vue/[email protected]
@nextcloud/[email protected] requires postcss@^7.0.36 via a transitive dependency on @vue/[email protected]
[email protected] requires postcss@^8.4.32
@vitejs/[email protected] requires postcss@^8.4.32 via [email protected]
No patched version available for postcss

So right now we include postcss@7 and postcss@8.

Both requirements of postcss@7 come from @vue/[email protected] which should not be required anymore since vue 2.7. However we still require it due to the need for vue-loader@15 for using webpack with vue 2.

Looks like this might be the way forward:

[ ] migrate to vite #5367
[ ] drop vue-loader
[ ] use vitest instead of vue2-jest
[ ] :tada: no more @vue/component-compiler-utils thus no more old postcss.

Feb 26 '24 08:02 max-nextcloud