Postcss dependency of react-scripts needs an upgrade

[nachogarciam]

Hi team

My build is not passing because I'm using npm audit to detect vulnerabilities. Npm audit detected a vulnerability with postcss which is a dependency of react-scripts. https://www.npmjs.com/advisories/1693

I tried to update the dependency with npm install postcss but it didn't work.

What can I do?

Example of a vulnerability:

[hammerdr]

I'm also deep into trying to fix this and haven't yet found the resolution.

PostCSS refuses to release a security fix (postcss/postcss#1574), including declining to merge a PR to fix the security issue.
postcss-preset-env is a little under water trying to upgrade to PostCSS 8 (csstools/postcss-preset-env#191)

Trying to force a resolution gets me build errors.

[hammerdr]

This is not a recommendation, just saying how I'm working around this.

I forked the repository, applied the fix to the v7 branch, and created a release called v8.3.0 (from the v7 branch.. ugh) to get around the audit fix.

This is not verified, and not "safe", but because yarn audit doesn't have a way to ignore advisories I needed this as a way to get back to a green build.

Here is the release I created https://github.com/hammerdr/postcss/releases/tag/8.3.0

I then did

1. yarn add url.to.tar.gz
2. added "postcss": "url.to.tar.gz" to my resolutions in package.json

Will continue to watch this thread in case better solutions arise.

[nachogarciam]

Thank you for your quick response and for your work hammerdr. I’ll take a look.

Cheers!

[kevlozano]

I'm having the same issue. Upgrading or audit fix doesn't work.

[sandeshindi]

I m having the same issue. But workaround from hammerdr works. Any idea when they will be fixing the issue

[Grachya]

Have same issue. Waiting for fix.

[hoffmannjan]

Same here.

[cinnamonbreakfast]

Adding postcss to resolutions does not fix the issue either. Can't even compile by doing this. 😶

postcss-modules-values: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-modules-local-by-default: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
modules-extract-imports: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-modules-scope: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration        
postcss-import-parser: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration        
postcss-icss-parser: postcss.plugin was deprecated. Migration guide:  
https://evilmartians.com/chronicles/postcss-8-plugin-migration        
postcss-url-parser: postcss.plugin was deprecated. Migration guide:   
https://evilmartians.com/chronicles/postcss-8-plugin-migration        
postcss-flexbugs-fixes: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
autoprefixer: postcss.plugin was deprecated. Migration guide: 
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-attribute-case-insensitive: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
css-blank-pseudo: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration   
postcss-color-functional-notation: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-color-gray: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-color-hex-alpha: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-color-mod-function: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-color-rebeccapurple: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-custom-media: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-custom-properties: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-custom-selectors: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-dir-pseudo-class: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-double-position-gradients: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-env-fn: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-focus-visible: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-focus-within: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-font-variant: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-gap-properties: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
css-has-pseudo: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-image-set-function: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-initial: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-lab-function: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration
postcss-logical-properties: postcss.plugin was deprecated. Migration guide:
https://evilmartians.com/chronicles/postcss-8-plugin-migration

./src/index.css (./node_modules/css-loader/dist/cjs.js??ref--6-oneOf-3-1!./node_modules/postcss-loader/src??postcss!./src/index.css)
TypeError: Cannot read property 'unprefixed' of undefined

[mrrotberry]

Same here.👆☹️

[a-dabrowski-atb]

Same here ;o

[cemysf]

same here