You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I know that it’s kind of you to have removed the vulnerability since [email protected].
But, in fact, the above large amount of downstream projects cannot easily upgrade optimize-css-assets-webpack-plugin from version 5.0.8 to (>=6.0.0):
The projects such as docz, which introduced [email protected], are not maintained anymore. These unmaintained packages can neither upgrade optimize-css-assets-webpack-plugin nor be easily migrated by the large amount of affected downstream projects.
Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package [email protected]?
Suggested Solution
Since these inactive projects set a version constaint 5.0.* for optimize-css-assets-webpack-plugin on the above vulnerable dependency paths, if optimize-css-assets-webpack-plugin removes the vulnerability from 5.0.8 and releases a new patched version [email protected], such a vulnerability patch can be automatically propagated into the downstream projects.
The simplest way to remove the vulnerability is to perform the following upgrade in [email protected]: cssnano ^4.1.10 ➔ ^5.0.0; Note: [email protected](>=5.0.0-rc.0) transitively depends on [email protected] which has fixed the vulnerability (CVE-2021-33587).
Of course, you are welcome to share other ways of dealing with the issue.
Thank you for your attention to this issue.
Best regards,
Paimon ^_^
The text was updated successfully, but these errors were encountered:
Hi, @NMFR, I stumbled upon a vulnerability introduced by package [email protected]:
Issue Description
When I build my project, I note that [email protected] transitively depends on [email protected]. However, the vulnerability CVE-2021-33587 has been detected in package css-what<5.0.1.
As far as I aware, [email protected] is so popular that a large number of projects depend on it (476,014 downloads per week, about 1,868 downstream projects, e.g., @rails/webpacker 5.4.0, @expo/webpack-config 0.12.82, expo-cli 4.7.3, vuepress 1.8.2, @vuepress/core 1.8.2, @moneygeek/ui-components 1.122.0, imui 2.1.1, maga-components 1.0.0-beta.4, etc.)
In this case, the vulnerability CVE-2021-33587 can be propagated into these downstream projects and expose security threats to them.
As you can see, [email protected] is introduced into the above projects via the following package dependency paths:
(1)
@moneygeek/[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected](2)
[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected](3)
[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected]......
I know that it’s kind of you to have removed the vulnerability since [email protected].
But, in fact, the above large amount of downstream projects cannot easily upgrade optimize-css-assets-webpack-plugin from version 5.0.8 to (>=6.0.0):
The projects such as docz, which introduced [email protected], are not maintained anymore. These unmaintained packages can neither upgrade optimize-css-assets-webpack-plugin nor be easily migrated by the large amount of affected downstream projects.
Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package [email protected]?
Suggested Solution
Since these inactive projects set a version constaint 5.0.* for optimize-css-assets-webpack-plugin on the above vulnerable dependency paths, if optimize-css-assets-webpack-plugin removes the vulnerability from 5.0.8 and releases a new patched version [email protected], such a vulnerability patch can be automatically propagated into the downstream projects.
The simplest way to remove the vulnerability is to perform the following upgrade in [email protected]:
cssnano ^4.1.10 ➔ ^5.0.0;Note:
[email protected](>=5.0.0-rc.0) transitively depends on [email protected] which has fixed the vulnerability (CVE-2021-33587).
Of course, you are welcome to share other ways of dealing with the issue.
Thank you for your attention to this issue.
Best regards,
Paimon ^_^
The text was updated successfully, but these errors were encountered: