-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
postcss 7.x (stable branch dependency) is unsupported and has an active security advisory #3017
Comments
"resolutions": {
"postcss": ">= 8.2.10"
} Edit: This will cause yarn to resolve to the fixed version of postcss, but seems to be silently incompatible with the libraries that use it. CI/CD failed when attempting this resolution. Been spending my day so far in dependency hell. 😕 |
Does the major breaking change in postcss 8 make it difficult to upgrade webpacker 5 to postcss 8?
Or, is it only an issue for people who use postcss in the browser? PS: If you do use postcss 8, in the browser, in webpacker 5, you will want to be aware of this solution. PPS: Webpacker 6 drops its "nodeModules" loader which should make it easier to use postcss 8 in the browser. |
If your use-case does not care about a regex denial of service, you can switch from
"devDependencies": {
"audit-ci": "4.x"
}
Edit: I found out recently that |
You can also use https://github.com/djfdyuruiry/improved-yarn-audit which works as a thin wrapper around Nonetheless the root issue should be fixed. |
+1 |
It looks like webpacker 6 still uses |
The fix has been backported to v7: postcss/postcss#1574 (comment) |
6.0 will not have a hard dependency on postcss any more. If someone wants to do the work to validate that it's safe to bump the dependency for 5-stable, please do so 🙏 |
The postcss maintainer already stepped in and released a backport to postcss 7.x that can be used with webpacker v5. So this issue can be closed. |
Most of the errors we see coming from yarn audit are for dev dependencies which have no impact in production. See: rails/webpacker#2969 (comment) and rails/webpacker#3017 (comment) We need to be able to suppress warnings which do not apply.
* Fix Totp tests * Replace yarn audit with configurable one Most of the errors we see coming from yarn audit are for dev dependencies which have no impact in production. See: rails/webpacker#2969 (comment) and rails/webpacker#3017 (comment) We need to be able to suppress warnings which do not apply. * Audit lower but allowlist more * Gem updates * Sorbet updates for CI to pass * Standard rb fix * Update arm check
A yarn audit this morning brought this one to light. There's currently a moderate security advisory in postcss.
Unfortunately, the postcss maintainer has indicated that no fix will be provided for the 7.x branch, and advises the solution is to switch to 8.x
The text was updated successfully, but these errors were encountered: