New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2021-28092 in cssnano
due to an old version of is-svg
#1030
Comments
cssnano
due to an old version of is-svg
Please use search before open issue, answered a lot of time, please use |
Well that's not really an option for most packages since they can't depend on Given that cssnano is in the dependency chain of CRA/react-scripts and used by millions of users, a patch of version 4 will likely be required, so keeping this issue open instead of closing the issue and telling people a solution that doesn't work would be more helpful. |
@alexander-akait could you please consider to simply release, for example, a version 4.0.3 of postcss-svgo package (with an upgraded version of is-svg in package.json) ? It should help to solve the cve issue easier in a lot of projects. |
I agree with the 2 comments above. In addition If I'm not mistaken 5.0.0-rc.2 is not ready yet with the is-svg 4.2.2 patched version Could it be possible to upgrade postcss-svgo package to a patched 4.0.3 version for taking in account the is-svg 4.2.2 version, please ? I think there is no breaking changes to update to is-svg 4.2.2 version Thanks |
Correct. The |
The @alexander-akait any chance you could |
I am afraid v4 can be broken right now, in theory we can found the last commit before publish and use it for update |
Are there any tests in place? I'm afraid that using specific commits or the rc version is not really an option, as that would require then going project-by-project and getting them all upgraded. Releasing the (already accepted) changes of the 4.x.x branch feels natural to the process, and would target all those use cases already making use of What can be done to verify the soundness of the 4.x.x branch? Any way we can assist? |
Oh, I see what you mean by specific commit. You mean this: d0f65e2 So if we take this commit + one more bumping the vulnerable dependencies, would that be enough to release a stable 4.x patch? |
yep, so we don't break anything |
Alright, then I suggest the current Then, create a new Then we'll be able to create a PR from a fork with the required upgrades, directly to the branch. WDYT? |
/cc @ludofischer Let's create branch ( |
@AviVahl feel free to send a PR, we solve it in v5, let's do the same, just remove |
FYI I could not even manage to complete |
I was able to got two failures now:
Both, in theory, could be related to |
@alexander-akait done. 👍 |
Done https://github.com/cssnano/cssnano/releases/tag/v4.1.11, hope we will do not break something 😄 |
Thanks 👍 It works for me to get rid of the |
cssnano can still minify svg, |
@ludofischer ok thanks for the precision 😉 |
Describe the bug
CVE-2021-28092
Looking at the dependency tree of css nano shows that postcss-svgo depends on is-svg@3.0.0
The text was updated successfully, but these errors were encountered: