Problem/Motivation

Note (& Cover My Ass-disclaimer): This issue been discussed with @longwave wearing his Drupal Security Team hat and he was OK with this being handled in the public queue, since PostCSS is a dev tool only.

Also the CVE affects linters using PostCSS to parse external Cascading Style Sheets, which we don't do.

Steps to reproduce

$ yarn audit
yarn audit v1.22.19
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ PostCSS line return parsing error                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ postcss                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.4.31                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ postcss                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ postcss                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1094239                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ PostCSS line return parsing error                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ postcss                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.4.31                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint > postcss                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1094239                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ PostCSS line return parsing error                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ postcss                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.4.31                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint-order                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint-order > postcss                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1094239                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
3 vulnerabilities found - Packages audited: 822
Severity: 3 Moderate
Done in 4.13s.

Proposed resolution

Bump postcss to version 8.4.31

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#3 3392485-10.1.x-3.patch1.78 KBspokje
#2 CVE-2023-44270.patch1.78 KBspokje

Comments

Spokje created an issue. See original summary.

spokje’s picture

spokje
Primary language Dutch
commented
StatusFileSize
new CVE-2023-44270.patch1.78 KB 
┌──────────────────────────────┬──────────────────────────┬──────────────────┐
│ package name                 │ old version(s)           │ new version(s)   │                                                               
├──────────────────────────────┼──────────────────────────┼──────────────────┤
│ postcss                      │ [..., 8.4.24], 8.4.23    │ [...], 8.4.31    │                                                               
└──────────────────────────────┴──────────────────────────┴──────────────────┘
spokje’s picture

spokje
Primary language Dutch
commented
StatusFileSize
new 3392485-10.1.x-3.patch1.78 KB 
┌──────────────────────────────┬──────────────────────────┬──────────────────┐
│ package name                 │ old version(s)           │ new version(s)   │                                                               
├──────────────────────────────┼──────────────────────────┼──────────────────┤
│ postcss                      │ [..., 8.4.24], 8.4.23    │ [...], 8.4.31    │                                                               
└──────────────────────────────┴──────────────────────────┴──────────────────┘
spokje’s picture

spokje
Primary language Dutch
commented
Version: 11.x-dev » 10.1.x-dev
spokje’s picture

spokje
Primary language Dutch
commented
Status: Active » Needs review
smustgrave’s picture

smustgrave commented
Status: Needs review » Reviewed & tested by the community

Reran the 11.x tests and they had no failure.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Reviewed & tested by the community » Fixed

Committed and pushed 772ba90504 to 11.x and e4e192f7ba to 10.2.x and 35da18cb5b to 10.1.x. Thanks!

  • longwave committed 35da18cb on 10.1.x 
    Issue #3392485 by Spokje: Security update postcss (CVE-2023-44270)

(...

  • longwave committed e4e192f7 on 10.2.x 
    Issue #3392485 by Spokje: Security update postcss (CVE-2023-44270)

(...

  • longwave committed 772ba905 on 11.x 
    Issue #3392485 by Spokje: Security update postcss (CVE-2023-44270)

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.