webpack-encore icon indicating copy to clipboard operation
webpack-encore copied to clipboard

Published 20 hours ago verified publisher icon symfony

[Security] Upgrade resolve-url-loader

Open trompette opened this issue 3 years ago • 2 comments

Dear maintainers,

There is a CVE on postcss, see https://github.com/advisories/GHSA-566m-qj78-rww5.

Dependabot cannot create a PR on my project because of webpack-encore: image

It looks like resolve-url-loader has been updated to a more recent version of postcss, see https://github.com/bholloway/resolve-url-loader/issues/198.

Would it be possible to upgrade resolve-url-loader?

Thanks!

trompette avatar Jan 30 '22 16:01 trompette

I get a similar message when I run npm install after installing composer require symfony/webpack-encore-bundle

$ npm install
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated

added 698 packages, and audited 699 packages in 4s

76 packages are looking for funding
  run `npm fund` for details

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

and

$ npm audit
# npm audit report

postcss  <8.2.13
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
fix available via `npm audit fix --force`
Will install @symfony/[email protected], which is a breaking change
node_modules/resolve-url-loader/node_modules/postcss
  resolve-url-loader  0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0
  Depends on vulnerable versions of postcss
  node_modules/resolve-url-loader
    @symfony/webpack-encore  >=0.25.0
    Depends on vulnerable versions of resolve-url-loader
    node_modules/@symfony/webpack-encore

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

henrikac avatar Jan 30 '22 21:01 henrikac

Please refer to https://github.com/symfony/webpack-encore/issues/1079 for this issue.

codedmonkey avatar Feb 04 '22 16:02 codedmonkey