postcss 7.0.0 - 8.2.9 Severity: moderate Regular Expression Denial of Service

Question

When creating a new project under create-react-app, you get warnings straight away regarding a vulnerability found in postcss.

Issue reported by npm: https://www.npmjs.com/advisories/1693

Related open issues can be found here:

• https://github.com/postcss/postcss/issues/1574
• https://github.com/facebook/create-react-app/issues/10945

The issue has been patched on postcss v8.2.10, but it's still present when creating new projects as react-scripts hasn't upgraded the dependency yet.

So, my problem here is I can no longer run builds as they fail due to the vulnerability.

Since I can't wait for them to get it patched before to keep working on my stuff (they seem to be aware of it since a year ago), is there some workaround that could be applied to solve it?

I tried adding a postcss resolution on package.json:

  "resolutions": {
    "postcss": "^8.2.10"
  },

but that didn't land me far.

Any idea?

Answer 1

This article helped me. https://www.npmjs.com/package/npm-force-resolutions. To use resolutions you wrote you should force them by adding this script in package.json

"scripts": {
  "preinstall": "npx npm-force-resolutions"
}

after that run npm install and it should overwrite all nested dependencies

Anyway it will not work due many dependencies. Good news is that support for postcss 8 is already merged and probably will be released soon https://github.com/facebook/create-react-app/issues/9664

Answer 2

Switching to Yarn makes this far simpler.

rm -rf ./node_modules 
rm ./package-lock.json

edit your package.json :
_{add any other package versions to upgrade from npm / yarn audit here also}

  "resolutions": 
  {
    "postcss": "^8.2.10"
  },

yarn install then running yarn audit should yield the magic words:

0 vulnerabilities found - Packages audited: 999
✨  Done in 1.10s.