fix(webpack): bump postcss-loader to ^8.2.1 to eliminate transitive [email protected] CVE#35028
Conversation
✅ Deploy Preview for nx-docs canceled.
|
✅ Deploy Preview for nx-dev canceled.
|
![graphite-app[bot]](https://avatars.githubusercontent.com/in/158384?s=60&v=4){kind=small}
| @@ -408,6 +408,11 @@ | |||
| "tslib": "catalog:typescript", | |||
| "webpack-cli": "^5.1.4" | |||
| }, | |||
| "pnpm": { | |||
| "overrides": { | |||
| "yaml@^1.10.0": ">=1.10.3" | |||
There was a problem hiding this comment.
The override pattern "yaml@^1.10.0": ">=1.10.3" is too permissive and will match yaml 2.x versions, which have breaking changes from yaml 1.x. This causes packages expecting yaml 1.x API (like cosmiconfig) to receive yaml 2.8.2 (visible in pnpm-lock.yaml), which will break at runtime due to API incompatibilities.
Fix by constraining to 1.x:
"yaml@^1.10.0": ">=1.10.3 <2.0.0"| "yaml@^1.10.0": ">=1.10.3" | |
| "yaml@^1.10.0": ">=1.10.3 <2.0.0" |
Spotted by Graphite
Is this helpful? React 👍 or 👎 to let us know.
|
Thanks for flagging this! However, there are a couple of issues with this approach:
|
robert-sidzinka
force-pushed
the
fix/yaml-vulnerability
branch
from
1e53741 to
7e8b0fc
Compare
robert-sidzinka
changed the title
|
@FrozenPandaz thanks, I updated PR by upgrading |
…[email protected] CVE postcss-loader 8 uses cosmiconfig@9 which no longer depends on [email protected], removing the vulnerable transitive dependency path entirely.
robert-sidzinka
force-pushed
the
fix/yaml-vulnerability
branch
from
7e8b0fc to
2805cb6
Compare
|
View your CI Pipeline Execution ↗ for commit 2805cb6
☁️ Nx Cloud last updated this comment at |
![nx-cloud[bot]](https://avatars.githubusercontent.com/in/80458?s=60&v=4){kind=small}
There was a problem hiding this comment.
Nx Cloud has identified a flaky task in your failed CI:
Since the failure was identified as flaky, the solution is to rerun CI. Because this branch comes from a fork, it is not possible for us to push directly, but you can rerun by pushing an empty commit:
git commit --allow-empty -m "chore: trigger rerun"
git push
🔔 Heads up, your workspace has pending recommendations ↗ to auto-apply fixes for similar failures.
🎓 Learn more about Self-Healing CI on nx.dev
FrozenPandaz
left a comment
FrozenPandaz
left a comment
There was a problem hiding this comment.
Everything looks good! Thank you so much for your contribution!
…[email protected] CVE (#35028) ## Current Behavior `@nx/webpack` depends on `postcss-loader@^6.1.1`, which pulls in `cosmiconfig@7` → `[email protected]`. The `[email protected]` package has a known stack overflow vulnerability ([GHSA-48c2-rrv3-qjmp](GHSA-48c2-rrv3-qjmp)). ## Expected Behavior By bumping `postcss-loader` to `^8.2.1`, the transitive dependency chain is eliminated entirely — `postcss-loader@8` uses `cosmiconfig@9`, which no longer depends on `yaml` at all. This is a cleaner fix than applying a `pnpm.overrides` workaround. The upgrade is safe because: - `postcss-loader@8` peer deps (`postcss ^7||^8`, `webpack ^5`) are unchanged - The `implementation` option and function-based `postcssOptions` API used by `@nx/webpack` are fully supported in v8 - Nx already requires Node 18+, matching postcss-loader@8's engine requirement ## Related Issue(s) Fixes #35025 (cherry picked from commit 63a8f27)
|
This pull request has already been merged/closed. If you experience issues related to these changes, please open a new issue referencing this pull request. |
2 participants
Current Behavior
@nx/webpackdepends onpostcss-loader@^6.1.1, which pulls incosmiconfig@7→[email protected]. The[email protected]package has a known stack overflow vulnerability (GHSA-48c2-rrv3-qjmp).Expected Behavior
By bumping
postcss-loaderto^8.2.1, the transitive dependency chain is eliminated entirely —postcss-loader@8usescosmiconfig@9, which no longer depends onyamlat all. This is a cleaner fix than applying apnpm.overridesworkaround.The upgrade is safe because:
postcss-loader@8peer deps (postcss ^7||^8,webpack ^5) are unchangedimplementationoption and function-basedpostcssOptionsAPI used by@nx/webpackare fully supported in v8Related Issue(s)
Fixes #35025