fix(deps): resolve 2 postcss Dependabot alerts (XSS, parsing error)#1444
Open
DeepDiver1975 wants to merge 1 commit into
Open
fix(deps): resolve 2 postcss Dependabot alerts (XSS, parsing error)#1444DeepDiver1975 wants to merge 1 commit into
DeepDiver1975 wants to merge 1 commit into
Conversation
postcss appeared twice: the main 8.5.6 (required by css-loader, @vue/compiler-sfc, icss-utils, postcss-modules-*) and a nested 7.0.39 under @vue/component-compiler-utils (Vue 2 SFC toolchain). Both advisories are open-ended (< X), so the 7.x copy was also vulnerable and has no 7.x fix. Added an npm override pinning postcss to ^8.5.10; it now resolves to a single 8.5.19 instance, and @vue/component-compiler-utils runs against postcss 8. - postcss 8.5.6 / 7.0.39 -> 8.5.19 - #145 XSS via unescaped </style> in CSS stringify output (GHSA-qx2v-qp2m-jg93, needs >= 8.5.10) - #78 line return parsing error (GHSA-7fh5-64p2-3v2j, needs >= 8.4.31) Verified: npm install re-resolves postcss to a single 8.5.19 copy (nested 7.0.39 gone), and the production webpack build (node build.js) compiles cleanly with the forced postcss 8 across css-loader / vue-loader / sass-loader (warnings only: pre-existing Sass @import deprecations and bundle-size hints). Not fixable (no upstream fix; reported, not dismissed): - showdown (#144) — ReDoS, <= 2.1.0, patched: null; 2.1.0 is latest. - vue (#95) — ReDoS in parseHTML, only "fixed" in 3.0.0-alpha.0 (Vue 3). - vue-template-compiler (#91) — XSS, < 3.0.0, patched: null; dropped in Vue 3. All three require a Vue 2 -> 3 migration (Vue 2 is EOL). Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Addresses all 5 open Dependabot alerts on
owncloud/market. Two (postcss) are fixable and fixed here; three (showdown,vue,vue-template-compiler) have no upstream fix and are reported below, not dismissed.✅ Fixed
postcssappeared twice in the tree: the main 8.5.6 (required bycss-loader,@vue/compiler-sfc,icss-utils,postcss-modules-*) and a nested 7.0.39 under@vue/component-compiler-utils@3.3.0(Vue 2 SFC toolchain). Both advisories are open-ended (< X), so the 7.x copy was also vulnerable — and postcss has no 7.x fix. A plain bump wouldn't move the nested copy, so I added an npmoverridesentry pinningpostcssto^8.5.10. It now resolves to a single 8.5.19 instance and@vue/component-compiler-utilsruns against postcss 8.</style>in CSS stringify output (GHSA-qx2v-qp2m-jg93, medium)<= 2.1.0, patched: null (medium)parseHTML,< 3.0.0-alpha.0(low)< 3.0.0, patched: null (medium)@vue/compiler-sfc).Proposed remediation for the three: all require migrating Vue 2 → Vue 3 (Vue 2 is EOL as of Dec 2023) — a substantial change touching
vue-router@3,vuex@3,vue-loader@15, andvue-template-compiler. Until that's scoped, they are accept-risk: #95 is low, and #91/#144 are build-time compilers / a markdown renderer whose exposure depends on attacker-controlled template/markdown input.How Has This Been Tested?
npm install— postcss re-resolves to a single 8.5.19 copy; the nested 7.0.39 is gone.NODE_ENV=production node build.js) compiles cleanly with the forced postcss 8 acrosscss-loader/vue-loader/sass-loader— 0 errors (warnings only: pre-existing Sass@importdeprecations and bundle-size hints). Bundle emitted normally.engines: >=6.9 <=20).Types of changes
Checklist
🤖 Generated with Claude Code