Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit moderate severity postcss dependency related #6315

Closed
murdocha opened this issue May 20, 2021 · 8 comments
Closed

npm audit moderate severity postcss dependency related #6315

murdocha opened this issue May 20, 2021 · 8 comments
Labels
CSS Preprocessing All the PostCSS, Less, SASS, etc issues 🔥 Security ✨ Parcel 2

Comments

@murdocha
Copy link

🐛 bug report

NPM audit moderate severity findings in parcel-bundler 1.12.5 (postcss dependency related)

🎛 Configuration (.babelrc, package.json, cli command)

from .babelrc:

{
  "presets": [
    "preact",
    [
      "env",
      {
        "targets": {
          "browsers": "last 2 Firefox versions, last 2 Chrome versions, last 2 Edge versions, last 2 Safari versions"
        }
      }
    ]
  ]
}

from package.json:

  "devDependencies": {
    "@babel/core": "^7.11.6",
    "@babel/plugin-proposal-class-properties": "^7.10.4",
    "babel-preset-env": "^1.7.0",
    "babel-preset-preact": "^2.0.0",
    "chai": "^4.1.2",
    "easyimage": "^3.1.0",
    "eslint": "^7.9.0",
    "eslint-config-standard-jsx": "^8.1.0",
    "eslint-config-standard-preact": "^1.1.6",
    "express": "^4.17.1",
    "js-yaml": "^3.12.0",
    "looks-same": "^3.3.0",
    "mocha": "^7.0.0",
    "mochawesome": "^6.1.1",
    "parcel-bundler": "^1.12.5",
    "request-promise": "^4.2.5",
    "sass": "^1.26.10",
    "selenium-webdriver": "^4.0.0-alpha.7",
    "standard": "^14.3.4"
  }

🤔 Expected Behavior

npm audit will succeed

😯 Current Behavior

npm audit returns 66 moderate severity vulnerabilities

These all seem related to the same postcss npm advisory (https://npmjs.com/advisories/1693) via cssnano and htmlnano:


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  css-declaration-sorter > postcss                              

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > css-declaration-sorter > postcss                            

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  cssnano-util-raw-cache > postcss                              

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > cssnano-util-raw-cache > postcss                            

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default > postcss   

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss                                                     

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-calc > postcss                                        

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-calc > postcss                                      

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-colormin > postcss                                    

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-colormin > postcss                                  

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-convert-values > postcss                              

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-convert-values > postcss                            

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-discard-comments > postcss                            

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-discard-comments > postcss                          

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-discard-duplicates > postcss                          

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-discard-duplicates > postcss                        

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-discard-empty > postcss                               

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-discard-empty > postcss                             

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-discard-overridden > postcss                          

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-discard-overridden > postcss                        

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-merge-longhand > postcss                              

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-merge-longhand > postcss                            

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-merge-longhand > stylehacks > postcss                 

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-merge-longhand > stylehacks > postcss               

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-merge-rules > postcss                                 

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-merge-rules > postcss                               

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-minify-font-values > postcss                          

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-minify-font-values > postcss                        

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-minify-gradients > postcss                            

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-minify-gradients > postcss                          

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-minify-params > postcss                               

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-minify-params > postcss                             

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-minify-selectors > postcss                            

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-minify-selectors > postcss                          

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-normalize-charset > postcss                           

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-normalize-charset > postcss                         

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-normalize-display-values > postcss                    

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-normalize-display-values > postcss                  

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-normalize-positions > postcss                         

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-normalize-positions > postcss                       

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-normalize-repeat-style > postcss                      

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-normalize-repeat-style > postcss                    

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-normalize-string > postcss                            

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-normalize-string > postcss                          

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-normalize-timing-functions > postcss                  

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-normalize-timing-functions > postcss                

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-normalize-unicode > postcss                           

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-normalize-unicode > postcss                         

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-normalize-url > postcss                               

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-normalize-url > postcss                             

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-normalize-whitespace > postcss                        

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-normalize-whitespace > postcss                      

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-ordered-values > postcss                              

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-ordered-values > postcss                            

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-reduce-initial > postcss                              

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-reduce-initial > postcss                            

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-reduce-transforms > postcss                           

  More info       https://npmjs.com/advisories/1693                             

        
  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-reduce-transforms > postcss                         

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-svgo > postcss                                        

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-svgo > postcss                                      

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > cssnano-preset-default >           
                  postcss-unique-selectors > postcss                            

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > cssnano-preset-default  
                  > postcss-unique-selectors > postcss                          

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > cssnano > postcss                            

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > cssnano > postcss                 

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > uncss > postcss                   

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   parcel-bundler [dev]                                          

  Path            parcel-bundler > htmlnano > purgecss > postcss                

  More info       https://npmjs.com/advisories/1693                             

found 66 moderate severity vulnerabilities in 1642 scanned packages
  66 vulnerabilities require manual review. See the full report for details.

💁 Possible Solution

Update internal dependencies on htmlnano and cssnano to versions that use postcss version greater than or equal to 8.2.10.
I'm not at all sure how difficult or easy that would be...

🔦 Context

Some organizations (including ours) have security policies which prevent production deployments if npm audit vulnerabilities are found (even in dev dependencies).
I know this particular npm audit finding may not be truly as severe as npm audit describes, but dealing with security audits is a fact of life.

The root of the issue appears to be in postcss v7 as mentioned here:
postcss/postcss#1574
but that version will not be fixed as the developer has a newer version to maintain (postcss v8)

I realize that Parcel 1 is also in "maintenance mode" and there is a push to move to Parcel 2 (as mentioned here: #5250 (comment))

I've made a first stab (so far unsuccessful) attempt to migrate to Parcel 2, but these npm audit findings are also present after uninstalling Parcel 1 (parcel-bundler) and installing latest Parcel 2 using npm. So this issue likely impacts all Parcel users of both versions?

💻 Code Sample

for version 1:

npm init
npm install parcel-bundler
npm audit

or for version 2:

npm init
npm install parcel
npm audit

🌍 Your Environment

Software Version(s)
Parcel 1.12.5
Node 12.22.0
npm/Yarn npm v. 6.14.11
Operating System win 10
@mischnic
Copy link
Member

mischnic commented May 20, 2021
edited
Loading

#6317 upgrades htmlnano and cssnano to the latest version, but even the latest htmlnano still uses uncss which depends on PostCSS 7

@murdocha
Copy link
Author

will the upcoming fixes to Parcel 2 referenced above make their way into parcel-bundler (v1)?

@mischnic
Copy link
Member

No. Especially because updating dependencies to new major versions would be a breaking change for v1.

@murdocha
Copy link
Author

not really a "thumbs up" but more of an "acknowledged". I know from reading some of the issue traffic that parcel-bundler v1 is in "maintenance" and most (all?) future development efforts are being directed to parcel v2. This deprecation warning is also present on the NPM package page here: https://www.npmjs.com/package/parcel-bundler.

I'd suggest that you also add a deprecation notice (re: v1) to the top of the main parcel repo (since both v1 and v2 seem to share a repo). It's also somewhat unfortunate/confusing that v2 is tagged as a "beta" version even though that is now the only actively developed "production" version. I'd also suggest dropping the beta tag for v2 now that it is stable (for most users?).

Thanks for tackling the npm audit fixes in v2!
That helps me make the case to migrate to v2 going forward.

@danieltroger
Copy link
Contributor

Thanks for opening this issue and for fixing it! And I agree that v2 has been in beta/nightly for way too long. I mean it's soon at version 800. At one daily release that's like more than 2 years????

We've been using it in prod since the beginning of this year and it's been doing an awesome job.
There were some bugs in the nightly release but they're fixed quickly and the beta ones should be quite stable.

Parcel 1 is buggier than v2 at this point so I really don't see why it shouldn't be declared dead.

@damianobarbati
Copy link

@danieltroger how do you keep up with the constant security vulnerabilities?

@mischnic
Copy link
Member

mischnic commented Jun 11, 2021
edited
Loading

There are three sources at the moment:

And in all of these cases, a denial of service isn't really a security vulnerability in the Parcel usecase. The worst case here is that your build never finishes, you're not running PostCSS in a SaaS webapp like codesandbox.

@aminya aminya mentioned this issue Jun 12, 2021
Open
@ChrisWiegman ChrisWiegman mentioned this issue Jun 25, 2021
Merged
@mischnic mischnic mentioned this issue Nov 17, 2021
Closed
@mischnic mischnic added CSS Preprocessing All the PostCSS, Less, SASS, etc issues ✨ Parcel 2 labels Nov 17, 2021
@mischnic
Copy link
Member

mischnic commented Dec 4, 2021

npm audit doesn't report any errors at the moment with parcel@nightly

@mischnic mischnic closed this as completed Dec 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CSS Preprocessing All the PostCSS, Less, SASS, etc issues 🔥 Security ✨ Parcel 2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@damianobarbati @danieltroger @mischnic @murdocha