Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

postcss 7.x (stable branch dependency) is unsupported and has an active security advisory #3017

Closed
jthornhill opened this issue May 11, 2021 · 9 comments
Closed

postcss 7.x (stable branch dependency) is unsupported and has an active security advisory #3017

jthornhill opened this issue May 11, 2021 · 9 comments

Comments

@jthornhill
Copy link

A yarn audit this morning brought this one to light. There's currently a moderate security advisory in postcss.

Unfortunately, the postcss maintainer has indicated that no fix will be provided for the 7.x branch, and advises the solution is to switch to 8.x
@joshbuker
Copy link

joshbuker commented May 11, 2021
edited
Loading

Found this elsewhere, but you can add the following to your package.json to help resolve this dependency:

"resolutions": {
  "postcss": ">= 8.2.10"
}

Edit: This will cause yarn to resolve to the fixed version of postcss, but seems to be silently incompatible with the libraries that use it. CI/CD failed when attempting this resolution.

Been spending my day so far in dependency hell. 😕

@jaredbeck
Copy link
Contributor

jaredbeck commented May 11, 2021
edited
Loading

Does the major breaking change in postcss 8 make it difficult to upgrade webpacker 5 to postcss 8?

We now serve ES6+ sources in the npm package without Babel compilation.
https://github.com/postcss/postcss/releases/tag/8.0.0

Or, is it only an issue for people who use postcss in the browser?

PS: If you do use postcss 8, in the browser, in webpacker 5, you will want to be aware of this solution.

PPS: Webpacker 6 drops its "nodeModules" loader which should make it easier to use postcss 8 in the browser.

@jvoss jvoss mentioned this issue May 11, 2021
Closed
This was referenced May 11, 2021
Closed
Open
@joshbuker
Copy link

joshbuker commented May 13, 2021
edited
Loading

If your use-case does not care about a regex denial of service, you can switch from yarn audit to audit-ci to allow ignoring this CVE until webpacker fixes their dependency.

  1. Add audit-ci to your devDependencies:
"devDependencies": {
  "audit-ci": "4.x"
}

  1. Run yarn install

  2. Update yarn audit to one of the following options:

  • npx audit-ci --high
  • npx audit-ci --low --allowlist 1693 (functionally equivalent to yarn audit while ignoring this particular CVE)

Edit: I found out recently that npx audit-ci is not functionally equivalent to npx audit-ci --high, it appears to never error code and is useful only for seeing what vulnerabilities are present. 😕

@Eusebius1920 Eusebius1920 mentioned this issue May 19, 2021
Closed
@Eusebius1920
Copy link

You can also use https://github.com/djfdyuruiry/improved-yarn-audit which works as a thin wrapper around yarn audit but filters out specified CVEs (via .iyarc file in the repository or via command-line flag)

Nonetheless the root issue should be fixed.

@guemidiborhane
Copy link

+1

@davidpocina
Copy link

It looks like webpacker 6 still uses postcss-preset-env, so this won't be solved until that project updates to postcss 8 too

csstools/postcss-preset-env#191

@likeuwill likeuwill mentioned this issue May 24, 2021
Merged
@afdev82
Copy link

afdev82 commented Jun 11, 2021

The fix has been backported to v7: postcss/postcss#1574 (comment)

@dhh
Copy link
Member

dhh commented Aug 20, 2021

6.0 will not have a hard dependency on postcss any more. If someone wants to do the work to validate that it's safe to bump the dependency for 5-stable, please do so 🙏

@Eusebius1920
Copy link

The postcss maintainer already stepped in and released a backport to postcss 7.x that can be used with webpacker v5. So this issue can be closed.

@dhh dhh closed this as completed Aug 20, 2021
tsmartt added a commit to tsmartt/publishers that referenced this issue Jan 20, 2022
@tsmartt
Replace yarn audit with configurable one
e82f42d 
Most of the errors we see coming from yarn audit are for dev dependencies
which have no impact in production. See:

rails/webpacker#2969 (comment)
and
rails/webpacker#3017 (comment)

We need to be able to suppress warnings which do not apply.
tsmartt added a commit to brave-intl/publishers that referenced this issue Jan 21, 2022
@tsmartt
Fix Totp tests (#3527)
8d51c94 
* Fix Totp tests

* Replace yarn audit with configurable one

Most of the errors we see coming from yarn audit are for dev dependencies
which have no impact in production. See:

rails/webpacker#2969 (comment)
and
rails/webpacker#3017 (comment)

We need to be able to suppress warnings which do not apply.

* Audit lower but allowlist more

* Gem updates

* Sorbet updates for CI to pass

* Standard rb fix

* Update arm check
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@dhh @jthornhill @jaredbeck @joshbuker @guemidiborhane @afdev82 @Eusebius1920 @davidpocina