Skip to content

fix(deps): resolve 2 postcss Dependabot alerts (XSS, parsing error)#1444

Open
DeepDiver1975 wants to merge 1 commit into
masterfrom
fix/dependabot-alerts
Open

fix(deps): resolve 2 postcss Dependabot alerts (XSS, parsing error)#1444
DeepDiver1975 wants to merge 1 commit into
masterfrom
fix/dependabot-alerts

Conversation

@DeepDiver1975

Copy link
Copy Markdown
Member

Description

Addresses all 5 open Dependabot alerts on owncloud/market. Two (postcss) are fixable and fixed here; three (showdown, vue, vue-template-compiler) have no upstream fix and are reported below, not dismissed.

✅ Fixed

postcss appeared twice in the tree: the main 8.5.6 (required by css-loader, @vue/compiler-sfc, icss-utils, postcss-modules-*) and a nested 7.0.39 under @vue/component-compiler-utils@3.3.0 (Vue 2 SFC toolchain). Both advisories are open-ended (< X), so the 7.x copy was also vulnerable — and postcss has no 7.x fix. A plain bump wouldn't move the nested copy, so I added an npm overrides entry pinning postcss to ^8.5.10. It now resolves to a single 8.5.19 instance and @vue/component-compiler-utils runs against postcss 8.

Alert Package Old → New Advisory Needs ≥
#145 postcss 8.5.6 / 7.0.39 → 8.5.19 XSS via unescaped </style> in CSS stringify output (GHSA-qx2v-qp2m-jg93, medium) 8.5.10
#78 postcss 8.5.6 / 7.0.39 → 8.5.19 line return parsing error (GHSA-7fh5-64p2-3v2j, medium) 8.4.31

⚠️ No fix available (reported, not dismissed)

Alert Package Installed Advisory Why no fix
#144 showdown 2.1.0 ReDoS in link/anchor parsing, <= 2.1.0, patched: null (medium) 2.1.0 is the latest published version; upstream has shipped no fix.
#95 vue 2.5.21 ReDoS in parseHTML, < 3.0.0-alpha.0 (low) Only "patched" in the Vue 3 pre-release; all of Vue 2 (incl. 2.7.16) stays in-range.
#91 vue-template-compiler 2.5.21 client-side XSS, < 3.0.0, patched: null (medium) Every 2.x is vulnerable; the package was dropped in Vue 3 (replaced by @vue/compiler-sfc).

Proposed remediation for the three: all require migrating Vue 2 → Vue 3 (Vue 2 is EOL as of Dec 2023) — a substantial change touching vue-router@3, vuex@3, vue-loader@15, and vue-template-compiler. Until that's scoped, they are accept-risk: #95 is low, and #91/#144 are build-time compilers / a markdown renderer whose exposure depends on attacker-controlled template/markdown input.

How Has This Been Tested?

  • npm install — postcss re-resolves to a single 8.5.19 copy; the nested 7.0.39 is gone.
  • Production build (NODE_ENV=production node build.js) compiles cleanly with the forced postcss 8 across css-loader / vue-loader / sass-loader — 0 errors (warnings only: pre-existing Sass @import deprecations and bundle-size hints). Bundle emitted normally.
  • Ran on Node v18.19.0 (within the repo's engines: >=6.9 <=20).

Types of changes

  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • My code follows the code style of this project.
  • All new and existing tests passed.

🤖 Generated with Claude Code

postcss appeared twice: the main 8.5.6 (required by css-loader,
@vue/compiler-sfc, icss-utils, postcss-modules-*) and a nested 7.0.39 under
@vue/component-compiler-utils (Vue 2 SFC toolchain). Both advisories are
open-ended (< X), so the 7.x copy was also vulnerable and has no 7.x fix.
Added an npm override pinning postcss to ^8.5.10; it now resolves to a single
8.5.19 instance, and @vue/component-compiler-utils runs against postcss 8.

- postcss 8.5.6 / 7.0.39 -> 8.5.19
  - #145 XSS via unescaped </style> in CSS stringify output (GHSA-qx2v-qp2m-jg93, needs >= 8.5.10)
  - #78  line return parsing error (GHSA-7fh5-64p2-3v2j, needs >= 8.4.31)

Verified: npm install re-resolves postcss to a single 8.5.19 copy (nested
7.0.39 gone), and the production webpack build (node build.js) compiles
cleanly with the forced postcss 8 across css-loader / vue-loader / sass-loader
(warnings only: pre-existing Sass @import deprecations and bundle-size hints).

Not fixable (no upstream fix; reported, not dismissed):
- showdown (#144) — ReDoS, <= 2.1.0, patched: null; 2.1.0 is latest.
- vue (#95) — ReDoS in parseHTML, only "fixed" in 3.0.0-alpha.0 (Vue 3).
- vue-template-compiler (#91) — XSS, < 3.0.0, patched: null; dropped in Vue 3.
All three require a Vue 2 -> 3 migration (Vue 2 is EOL).

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
@DeepDiver1975 DeepDiver1975 requested a review from a team as a code owner July 15, 2026 22:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant