[CVE-2021-23382][1.x] Bump postcss from 8.2.10 to 8.2.13 #3739
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue Resolve
#1094
Description
This CVE requires to bump
postcss
to be<7.0.36||>=8.0.0 <8.2.13
.The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
In 1.x we are usingpostcss
under two versions, 8.2.10 and 7.0.36.Since 7.0.36 is a safe version. We only need to bump 8.2.10 to 8.2.13, which seems no breaking changes by comparing the two versions.
Check List
yarn test:jest
yarn test:jest_integration
yarn test:ftr