Skip to content

npm audit fails due to postcss #6467

New issue
New issue
Closed
vuejs/component-compiler-utils
#111
Closed
npm audit fails due to postcss#6467
vuejs/component-compiler-utils
#111
Labels
priority: nextupstream
@duckness

Description

@duckness
duckness
opened on May 11, 2021

Version

5.0.0-beta.0

Environment info

Environment Info:

  System:
    OS: Windows 10 10.0.19042
    CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
  Binaries:
    Node: 15.6.0 - C:\Program Files\nodejs\node.EXE
    Yarn: 1.22.5 - C:\Program Files (x86)\Yarn\bin\yarn.CMD
    npm: 7.11.1 - C:\Program Files\nodejs\npm.CMD
  Browsers:
    Chrome: 90.0.4430.93
    Edge: Spartan (44.19041.964.0), Chromium (90.0.818.56)
  npmPackages:
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1
    @vue/babel-helper-vue-transform-on:  1.0.2
    @vue/babel-plugin-jsx:  1.0.6
    @vue/babel-plugin-transform-vue-jsx:  1.2.1
    @vue/babel-preset-app:  5.0.0-beta.0
    @vue/babel-preset-jsx:  1.2.4
    @vue/babel-sugar-composition-api-inject-h:  1.2.1
    @vue/babel-sugar-composition-api-render-instance:  1.2.4
    @vue/babel-sugar-functional-vue:  1.2.2
    @vue/babel-sugar-inject-h:  1.2.2
    @vue/babel-sugar-v-model:  1.2.3
    @vue/babel-sugar-v-on:  1.2.3
    @vue/cli-overlay:  5.0.0-beta.0
    @vue/cli-plugin-babel: ~5.0.0-beta.0 => 5.0.0-beta.0
    @vue/cli-plugin-eslint: ~5.0.0-beta.0 => 5.0.0-beta.0
    @vue/cli-plugin-router:  5.0.0-beta.0
    @vue/cli-plugin-vuex:  5.0.0-beta.0
    @vue/cli-service: ~5.0.0-beta.0 => 5.0.0-beta.0
    @vue/cli-shared-utils:  5.0.0-beta.0
    @vue/compiler-core:  3.0.11
    @vue/compiler-dom:  3.0.11
    @vue/compiler-sfc: ^3.0.4 => 3.0.11
    @vue/compiler-ssr:  3.0.11
    @vue/component-compiler-utils:  3.2.0
    @vue/reactivity:  3.0.11
    @vue/runtime-core:  3.0.11
    @vue/runtime-dom:  3.0.11
    @vue/shared:  3.0.11
    @vue/web-component-wrapper:  1.3.0
    eslint-plugin-vue: ^7.2.0 => 7.9.0
    vue: ^3.0.4 => 3.0.11
    vue-eslint-parser:  7.6.0
    vue-hot-reload-api:  2.3.4
    vue-loader:  16.2.0 (15.9.6)
    vue-style-loader:  4.1.3
    vue-template-es2015-compiler:  1.9.1
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

  1. vue create something
  2. npm audit complains:
# npm audit report

postcss  7.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1693
fix available via `npm audit fix --force`
Will install @vue/cli-service@3.3.1, which is a breaking change
node_modules/@vue/component-compiler-utils/node_modules/postcss
  @vue/component-compiler-utils  >=2.4.0
  Depends on vulnerable versions of postcss
  node_modules/@vue/component-compiler-utils
    @vue/cli-service  >=3.4.0
    Depends on vulnerable versions of @vue/component-compiler-utils
    Depends on vulnerable versions of vue-loader-v15
    node_modules/@vue/cli-service
    vue-loader-v15
    Depends on vulnerable versions of @vue/component-compiler-utils
    node_modules/vue-loader-v15

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

What is expected?

npm audit does not return an error

What is actually happening?

npm audit returns an error

Metadata

Metadata

Assignees

No one assigned

    Labels

    priority: nextupstream

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions