Critical vulnerability in [email protected] - retire.js

[tpopov94]

Retire.js identifies a critical vulnerability when scanning projects with css-loader as dependency.

Retire.js Report:
"results": [ { "component": "macaddress", "version": "0.2.8", "parent": { "component": "uniqid", "version": "4.1.1", "parent": { "component": "postcss-filter-plugins", "version": "2.0.2", "parent": { "component": "cssnano", "version": "3.10.0", "parent": { "component": "css-loader", "version": "0.28.11" "level": 1 }, "level": 2 }, "level": 3 }, "level": 4 }, "level": 5, "vulnerabilities": [ { "info": [ "https://hackerone.com/reports/319467" ], "severity": "critical", "identifiers": { "summary": "Command Injection" } } ] } ]

This vulnerability comes from one of the module subdependencies - macddress

npm ls macaddress
[email protected] /Users/tpopov/Work/PlatformUI
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]

[TixieSalander]

For info, macaddress have fixed the vulnerability in 0.2.9

[pumano]

update macaddress dependency and make a release please.

[alexander-akait]

@pumano we don't have macaddress in deps, please update own deps and lock file

[turbobeast]

@evilebottnawi you do have cssnano v3.10.0 which has an older version of post-css-filter-plugins (v2.0.2), that still depends on uniqid (also an older version), that has the vulnerable version of macadress.

The version of cssnano that breaks this chain (removed/updated post-css-filter-plugins), is still in pre-release, and has breaking changes 😭