You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, @NMFR, I stumbled upon a vulnerability introduced by package css-what@3.4.2:
Issue Description
When I build my project, I note that optimize-css-assets-webpack-plugin@5.0.8 transitively depends on css-what@3.4.2. However, the vulnerability CVE-2021-33587 has been detected in package css-what<5.0.1.
As far as I aware, optimize-css-assets-webpack-plugin@5.0.8 is so popular that a large number of projects depend on it (476,014 downloads per week, about 1,868 downstream projects, e.g., @rails/webpacker 5.4.0, @expo/webpack-config 0.12.82, expo-cli 4.7.3, vuepress 1.8.2, @vuepress/core 1.8.2, @moneygeek/ui-components 1.122.0, imui 2.1.1, maga-components 1.0.0-beta.4, etc.)
In this case, the vulnerability CVE-2021-33587 can be propagated into these downstream projects and expose security threats to them.
As you can see, optimize-css-assets-webpack-plugin@5.0.8 is introduced into the above projects via the following package dependency paths:
(1)@moneygeek/ui-components@1.122.0 ➔ docz@2.3.1 ➔ gatsby@2.32.13 ➔ optimize-css-assets-webpack-plugin@5.0.8 ➔ cssnano@4.1.11 ➔ cssnano-preset-default@4.0.8 ➔ postcss-svgo@4.0.3 ➔ svgo@1.3.2 ➔ css-select@2.1.0 ➔ css-what@3.4.2
(2)imui@2.1.1 ➔ docz@2.3.1 ➔ gatsby@2.32.13 ➔ optimize-css-assets-webpack-plugin@5.0.8 ➔ cssnano@4.1.11 ➔ cssnano-preset-default@4.0.8 ➔ postcss-svgo@4.0.3 ➔ svgo@1.3.2 ➔ css-select@2.1.0 ➔ css-what@3.4.2
(3)maga-components@1.0.0-beta.41 ➔ docz@2.3.1 ➔ gatsby@2.32.13 ➔ optimize-css-assets-webpack-plugin@5.0.8 ➔ cssnano@4.1.11 ➔ cssnano-preset-default@4.0.8 ➔ postcss-svgo@4.0.3 ➔ svgo@1.3.2 ➔ css-select@2.1.0 ➔ css-what@3.4.2 ......
I know that it’s kind of you to have removed the vulnerability since optimize-css-assets-webpack-plugin@6.0.0.
But, in fact, the above large amount of downstream projects cannot easily upgrade optimize-css-assets-webpack-plugin from version 5.0.8 to (>=6.0.0):
The projects such as docz, which introduced optimize-css-assets-webpack-plugin@5.0.8, are not maintained anymore. These unmaintained packages can neither upgrade optimize-css-assets-webpack-plugin nor be easily migrated by the large amount of affected downstream projects.
Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package optimize-css-assets-webpack-plugin@5.0.8?
Suggested Solution
Since these inactive projects set a version constaint 5.0.* for optimize-css-assets-webpack-plugin on the above vulnerable dependency paths, if optimize-css-assets-webpack-plugin removes the vulnerability from 5.0.8 and releases a new patched version optimize-css-assets-webpack-plugin@5.0.9, such a vulnerability patch can be automatically propagated into the downstream projects.
The simplest way to remove the vulnerability is to perform the following upgrade in optimize-css-assets-webpack-plugin@5.0.9: cssnano ^4.1.10 ➔ ^5.0.0; Note: cssnano@5.0.0(>=5.0.0-rc.0) transitively depends on css-what@5.0.1 which has fixed the vulnerability (CVE-2021-33587).
Of course, you are welcome to share other ways of dealing with the issue.
Thank you for your attention to this issue.
Best regards,
Paimon ^_^
The text was updated successfully, but these errors were encountered:
Hi, @NMFR, I stumbled upon a vulnerability introduced by package css-what@3.4.2:
Issue Description
When I build my project, I note that optimize-css-assets-webpack-plugin@5.0.8 transitively depends on css-what@3.4.2. However, the vulnerability CVE-2021-33587 has been detected in package css-what<5.0.1.
As far as I aware, optimize-css-assets-webpack-plugin@5.0.8 is so popular that a large number of projects depend on it (476,014 downloads per week, about 1,868 downstream projects, e.g., @rails/webpacker 5.4.0, @expo/webpack-config 0.12.82, expo-cli 4.7.3, vuepress 1.8.2, @vuepress/core 1.8.2, @moneygeek/ui-components 1.122.0, imui 2.1.1, maga-components 1.0.0-beta.4, etc.)
In this case, the vulnerability CVE-2021-33587 can be propagated into these downstream projects and expose security threats to them.
As you can see, optimize-css-assets-webpack-plugin@5.0.8 is introduced into the above projects via the following package dependency paths:
(1)
@moneygeek/ui-components@1.122.0 ➔ docz@2.3.1 ➔ gatsby@2.32.13 ➔ optimize-css-assets-webpack-plugin@5.0.8 ➔ cssnano@4.1.11 ➔ cssnano-preset-default@4.0.8 ➔ postcss-svgo@4.0.3 ➔ svgo@1.3.2 ➔ css-select@2.1.0 ➔ css-what@3.4.2(2)
imui@2.1.1 ➔ docz@2.3.1 ➔ gatsby@2.32.13 ➔ optimize-css-assets-webpack-plugin@5.0.8 ➔ cssnano@4.1.11 ➔ cssnano-preset-default@4.0.8 ➔ postcss-svgo@4.0.3 ➔ svgo@1.3.2 ➔ css-select@2.1.0 ➔ css-what@3.4.2(3)
maga-components@1.0.0-beta.41 ➔ docz@2.3.1 ➔ gatsby@2.32.13 ➔ optimize-css-assets-webpack-plugin@5.0.8 ➔ cssnano@4.1.11 ➔ cssnano-preset-default@4.0.8 ➔ postcss-svgo@4.0.3 ➔ svgo@1.3.2 ➔ css-select@2.1.0 ➔ css-what@3.4.2......
I know that it’s kind of you to have removed the vulnerability since optimize-css-assets-webpack-plugin@6.0.0.
But, in fact, the above large amount of downstream projects cannot easily upgrade optimize-css-assets-webpack-plugin from version 5.0.8 to (>=6.0.0):
The projects such as docz, which introduced optimize-css-assets-webpack-plugin@5.0.8, are not maintained anymore. These unmaintained packages can neither upgrade optimize-css-assets-webpack-plugin nor be easily migrated by the large amount of affected downstream projects.
Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package optimize-css-assets-webpack-plugin@5.0.8?
Suggested Solution
Since these inactive projects set a version constaint 5.0.* for optimize-css-assets-webpack-plugin on the above vulnerable dependency paths, if optimize-css-assets-webpack-plugin removes the vulnerability from 5.0.8 and releases a new patched version optimize-css-assets-webpack-plugin@5.0.9, such a vulnerability patch can be automatically propagated into the downstream projects.
The simplest way to remove the vulnerability is to perform the following upgrade in optimize-css-assets-webpack-plugin@5.0.9:
cssnano ^4.1.10 ➔ ^5.0.0;Note:
cssnano@5.0.0(>=5.0.0-rc.0) transitively depends on css-what@5.0.1 which has fixed the vulnerability (CVE-2021-33587).
Of course, you are welcome to share other ways of dealing with the issue.
Thank you for your attention to this issue.
Best regards,
Paimon ^_^
The text was updated successfully, but these errors were encountered: