high severity vulnerabilities from css-what library

[tomhsiao1260]

Current behaviour 💣

Yesterday, css-what was found to have high security vulnerabilities from npm security advisories.
https://www.npmjs.com/advisories/1754

Reproduction Example 👾

run npm install html-webpack-plugin

Environment 🖥

• Node.js v15.2.1 + darwin 19.6.0
• npm@7.16.0
• webpack@5.38.1
• html-webpack-plugin@5.3.1

[alexd-shuttle]

FYI, the outdated version is used by renderkid: AriaMinaei/RenderKid#18
(required by pretty-error)

[jantimon]

I don't want to say this vulnerability is not relevant but it is very very unlikely that it can be exploited.
The html-webpack-plugin is using pretty-error to show compile time messages as html.

So the only way to exploit css-what would be to generate an error during the webpack build which increases the compilation time so much that it has an impact on your ci system stability.

That being said I would like to upgrade the dependencies (or maybe it would be time to drop pretty error at all) to make sure that no security warnings popup during npm audit

Is there already any action which can be done to fix this issue?

[tschmidtb51]

@AviVahl suggested PR 19 to solve this in RenderKid

[AriaMinaei]

This is now fixed. Copying my comment from another issue:

Renderkid 2.0.6 and pretty-error 3.0.4 should fix the audit, thanks to @AviVahl.

I should add that since we don't feed unsanitized input to css-select, it's rather unlikely the vulnerability would've affected any projects depending on renderkid or pretty-error.