2

I'm using vue-cli which has the dependency of postcss.

When I run npm audit I get warnings that postcss has vulnerabilities and I have to upgrade to some newer version. How do I do this?

I tried npm update, npm update -D, npm update -D --depth=99. But it doesn't work.

I also tried to remove vue-cli, which completely removes everything from postcss (I checked it). But then when I install vue-cli again, the old version of postcss gets installed again.

I also checked what version of postcss is required by vue-cli, and it only has requirements that say higher than version ^7.0.3 or something. But it should by default install the latest version right?

I don't understand why npm is installing an old version and I also don't know how I can update it to the latest version.

This is the warning that I get.

┌───────────────┬─────────────────────────────────────────────────┐
│ Moderate................. │ Regular Expression Denial of Service                 
├───────────────┼─────────────────────────────────────────────────┤
│ Package.................... │ postcss                                              
├───────────────┼─────────────────────────────────────────────────┤
│ Patched in................ │ >=8.2.10                                             
├───────────────┼─────────────────────────────────────────────────┤
│ Dependency of....... │ @vue/cli-service                                     
├───────────────┼─────────────────────────────────────────────────┤
│ Path.......................... │ @vue/cli-service > postcss-loader > postcss  
├───────────────┼─────────────────────────────────────────────────┤
│ More info................. │ https://npmjs.com/advisories/1693                    
└───────────────┴─────────────────────────────────────────────────┘
jasie
  • 2,192
  • 10
  • 39
  • 54
Harm
  • 109
  • 9
  • Did you try `npm install postcss@latest`? – T J May 11 '21 at 12:54
  • 2
    Thanks, that installed the latest version. But somehow I still get warning from npm audit. Why is that? – Harm May 11 '21 at 13:02
  • 1
    You didn't post the report. It should contain the explanation. *But it should by default install the latest version right* - the latest is 8, not to mention that there's NPM bug that would make `^7.0.3` install 7.0.3, and I'm not sure this has been fixed. – Estus Flask May 11 '21 at 13:11
  • Please add the version of your vue cli package and of the cli service package! – jasie May 17 '21 at 08:17

1 Answers1

0

Refering to this how to fix postcss vulnerability in reactjs there is mentioned that it is suggested to wait for maintainers to fix this issue. I'm also facing the same vulnerabilities with yarn audit...

Charlie
  • 1