Hi, when updating dependencies I got a message about 34 moderate severity vulnerabilities. These are apparently caused by the outdated version of PostCSS. Here is the full npm audit output:
# npm audit report
postcss 7.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1693
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/cssnano-util-raw-cache/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/css-declaration-sorter/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/cssnano-preset-default/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/cssnano/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-calc/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-colormin/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-convert-values/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-discard-comments/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-discard-duplicates/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-discard-empty/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-discard-overridden/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-merge-longhand/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-merge-rules/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-minify-font-values/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-minify-gradients/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-minify-params/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-minify-selectors/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-charset/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-display-values/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-positions/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-repeat-style/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-string/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-timing-functions/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-unicode/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-url/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-whitespace/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-ordered-values/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-reduce-initial/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-reduce-transforms/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-svgo/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-unique-selectors/node_modules/postcss
node_modules/rollup-plugin-postcss/node_modules/stylehacks/node_modules/postcss
css-declaration-sorter 4.0.0 - 5.1.2
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/css-declaration-sorter
cssnano-preset-default <=4.0.0-rc.2 || 4.0.1 - 4.0.8
Depends on vulnerable versions of css-declaration-sorter
Depends on vulnerable versions of cssnano-util-raw-cache
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/cssnano-preset-default
cssnano 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.11
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/cssnano
rollup-plugin-postcss >=2.0.0
Depends on vulnerable versions of cssnano
node_modules/rollup-plugin-postcss
cssnano-util-raw-cache >=4.0.1
Depends on vulnerable versions of postcss
node_modules/cssnano-util-raw-cache
postcss-calc 6.0.2 - 7.0.5
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-calc
postcss-colormin 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-colormin
postcss-convert-values 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-convert-values
postcss-discard-comments 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-discard-comments
postcss-discard-duplicates 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-discard-duplicates
postcss-discard-empty 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-discard-empty
postcss-discard-overridden 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-discard-overridden
postcss-merge-longhand 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.6 - 4.0.11
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-merge-longhand
postcss-merge-rules 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-merge-rules
postcss-minify-font-values 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-minify-font-values
postcss-minify-gradients 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-minify-gradients
postcss-minify-params 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-minify-params
postcss-minify-selectors 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-minify-selectors
postcss-normalize-charset 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-charset
postcss-normalize-display-values <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-display-values
postcss-normalize-positions <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-positions
postcss-normalize-repeat-style <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-repeat-style
postcss-normalize-string <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-string
postcss-normalize-timing-functions <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-timing-functions
postcss-normalize-unicode <=4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-unicode
postcss-normalize-url 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-url
postcss-normalize-whitespace <=4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-normalize-whitespace
postcss-ordered-values 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.2
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-ordered-values
postcss-reduce-initial 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-reduce-initial
postcss-reduce-transforms 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-reduce-transforms
postcss-svgo 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-svgo
postcss-unique-selectors 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/postcss-unique-selectors
stylehacks 4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
Depends on vulnerable versions of postcss
node_modules/rollup-plugin-postcss/node_modules/stylehacks
34 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Is there a way to fix this?
egoist / rollup-plugin-postcss
Seamless integration between Rollup and PostCSS.
678
Contributors get 70% of received funds after fees
How does funding with Polar work?
1
Pay now to fund the work behind this issue.
2
Get updates on progress being made.
3
Maintainer is rewarded once the issue is completed.
FAQ
Backer
You're funding impactful open source efforts
Contributor
You want to contribute to this effort
Maintainer
You want to get funding like this too