Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regular Expression Denial of Service in postcss (6.0.11) #490

Open
Shramkoweb opened this issue Jun 13, 2022 · 2 comments
Open

Regular Expression Denial of Service in postcss (6.0.11) #490

Shramkoweb opened this issue Jun 13, 2022 · 2 comments

Comments

@Shramkoweb
Copy link

Shramkoweb commented Jun 13, 2022

Do you want to request a feature, report a bug or ask a question?
Security issue.

What is the current behavior?

The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /\s sourceMappingURL=(.*).

[email protected] requires postcss@^5.2.17 via [email protected]

Please tell us about your environment:

  • Node.js version: 16
  • webpack version: 4
  • svg-sprite-loader version: 6.0.11
  • OS type & version: macOS
@Shramkoweb Shramkoweb changed the title Regular Expression Denial of Service in postcss Regular Expression Denial of Service in postcss (6.0.11) Jun 13, 2022
@NickWoodward
Copy link

Did you find a decent fix for this? In the past I managed to override postcss used, but I'm now getting

npm ERR! code EOVERRIDE
npm ERR! Override for postcss@^8.4.16 conflicts with direct dependency

@Shramkoweb
Copy link
Author

Did you find a decent fix for this? In the past I managed to override postcss used, but I'm now getting

npm ERR! code EOVERRIDE
npm ERR! Override for postcss@^8.4.16 conflicts with direct dependency

No. Unfortunately, I am waiting for a fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants