Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need to update cssnano as it have postcss 7.035 vulenrable packages. #20606

Closed
prashant93 opened this issue Apr 22, 2021 · 6 comments · Fixed by #20631
Closed

Need to update cssnano as it have postcss 7.035 vulenrable packages. #20606

prashant93 opened this issue Apr 22, 2021 · 6 comments · Fixed by #20631
Labels
severity6: security

Comments

@prashant93
Copy link

prashant93 commented Apr 22, 2021
edited
Loading

🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑

Please read https://angular.io/guide/security#report-issues on how to disclose security related issues.

🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑
npm ls postcss

-- @angular-devkit/build-angular@0.1102.10
+-- css-loader@5.0.1
| -- postcss@8.2.4 deduped +-- cssnano@4.1.11 | +-- cssnano-preset-default@4.0.8 | | +-- css-declaration-sorter@4.0.1 | | | -- postcss@7.0.35
| | +-- cssnano-util-raw-cache@4.0.1
| | | -- postcss@7.0.35 | | +-- postcss@7.0.35 | | +-- postcss-calc@7.0.5 | | | -- postcss@7.0.35
| | +-- postcss-colormin@4.0.3
| | | -- postcss@7.0.35 | | +-- postcss-convert-values@4.0.1 | | | -- postcss@7.0.35
| | +-- postcss-discard-comments@4.0.2
| | | -- postcss@7.0.35 | | +-- postcss-discard-duplicates@4.0.2 | | | -- postcss@7.0.35
| | +-- postcss-discard-empty@4.0.1
| | | -- postcss@7.0.35 | | +-- postcss-discard-overridden@4.0.1 | | | -- postcss@7.0.35
| | +-- postcss-merge-longhand@4.0.11
| | | +-- postcss@7.0.35
| | | -- stylehacks@4.0.3 | | | -- postcss@7.0.35
| | +-- postcss-merge-rules@4.0.3
| | | -- postcss@7.0.35 | | +-- postcss-minify-font-values@4.0.2 | | | -- postcss@7.0.35
| | +-- postcss-minify-gradients@4.0.2
| | | -- postcss@7.0.35 | | +-- postcss-minify-params@4.0.2 | | | -- postcss@7.0.35
| | +-- postcss-minify-selectors@4.0.2
| | | -- postcss@7.0.35 | | +-- postcss-normalize-charset@4.0.1 | | | -- postcss@7.0.35
| | +-- postcss-normalize-display-values@4.0.2
| | | -- postcss@7.0.35 | | +-- postcss-normalize-positions@4.0.2 | | | -- postcss@7.0.35
| | +-- postcss-normalize-repeat-style@4.0.2
| | | -- postcss@7.0.35 | | +-- postcss-normalize-string@4.0.2 | | | -- postcss@7.0.35
| | +-- postcss-normalize-timing-functions@4.0.2
| | | -- postcss@7.0.35 | | +-- postcss-normalize-unicode@4.0.1 | | | -- postcss@7.0.35
| | +-- postcss-normalize-url@4.0.1
| | | -- postcss@7.0.35 | | +-- postcss-normalize-whitespace@4.0.2 | | | -- postcss@7.0.35
| | +-- postcss-ordered-values@4.1.2
| | | -- postcss@7.0.35 | | +-- postcss-reduce-initial@4.0.3 | | | -- postcss@7.0.35
| | +-- postcss-reduce-transforms@4.0.2
| | | -- postcss@7.0.35 | | +-- postcss-svgo@4.0.3 | | | -- postcss@7.0.35
| | -- postcss-unique-selectors@4.0.1 | | -- postcss@7.0.35
| -- postcss@7.0.35 +-- postcss@8.2.4 -- resolve-url-loader@3.1.2
`-- postcss@7.0.21
@AlexanderStromer
Copy link

AlexanderStromer commented Apr 23, 2021
edited
Loading

cssnano/postcss CVE-fixes are slated for Angular 12 (May 2021), see package.json change

@prashant93
Copy link
Author

Thanks @AlexanderStromer , we getting twistlock vulenerablitiy:
high | 7.50 | postcss | 7.0.35 | fixed in 8.2.10
high | 7.50 | postcss | 7.0.21 | fixed in 8.2.10
high | 7.50 | postcss | 8.2.4 | fixed in 8.2.10

@alan-agius4 alan-agius4 mentioned this issue Apr 27, 2021
Merged
@alan-agius4 alan-agius4 linked a pull request Apr 27, 2021 that will close this issue
fix(@angular-devkit/build-angular): update CSSNano and PostCSS to fix… #20631
Merged
alan-agius4 added a commit that referenced this issue Apr 27, 2021
@alan-agius4
fix(@angular-devkit/build-angular): update CSSNano and PostCSS to fix…
8abb3e4 
… serveral security issues

Closes #20606
@alan-agius4
Copy link
Collaborator

Closed via #20631

@ErideonTech
Copy link

postcss 7.x still needed

can this case be left open until also the dependency resolve-url-loader (PR) has upgraded to 8.2.10+?

@alan-agius4
Copy link
Collaborator

@ErideonTech, there is no version yet of resolve-url-loader with PostCSS 8. Our dependencies are managed by Renovate, hence when there is a new update a PR with the fix will be opened automatically.

That said, it important to mentioned that such vulnerability cannot be exploited when using the Angular CLI as we don't expect that the Angular CLI is used on production servers.

@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators May 30, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
severity6: security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(@angular-devkit/build-angular): update CSSNano and PostCSS to fix…
4 participants
@prashant93 @alan-agius4 @AlexanderStromer @ErideonTech