Update postcss

[wabuMike]

Please consider updating postcss to a version >= 8.2.13 since versions below are affected by Regular Expression Denial of Service. See https://github.com/advisories/GHSA-566m-qj78-rww5 for more information.

[laacz]

Second this. Dependabot alerts are triggering me :)

[secondmanveran]

For the life of me I can't even imagine why it would take 2 months to review a pull request.

🤦🏻

[laacz]

Judging from pull requests and commits acctivity It appears that project is no longer mainained.

[FRSgit]

Hey! I've created PR updating PostCSS usage. Give it a thumbs up - maybe that will give it some traction 🤷

[secondmanveran]

There's already a pull request open. That's the point, it's been open since December.

[secondmanveran]

OH ... it's yours that's open. Yeah I saw that one, hence my original comment.

[brianlenz]

FYI, it looks like the Dependabot alert was updated, and this is no longer a security issue. The updated status shows that it's fixed in 7.0.36:

https://github.com/github/advisory-database/commit/df3034df6abfc28ab60a5a328cf502b0df65dbdb

[kingyue737]

As the SFC compiler for Vue 2.7 now uses PostCSS 8, it make sense to update it.

[hackel]

This issue is back from the dead - https://nvd.nist.gov/vuln/detail/CVE-2023-44270

An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.