Open
Description
Describe the bug
https://github.com/nextcloud/text/security/dependabot/42 reports a regexp DOS in postcss 7.x
We actually have conflicting requirements here:
@vue/vue2-jest@29.2.6 requires postcss@^7.0.36 via @vue/component-compiler-utils@3.3.0
@nextcloud/webpack-vue-config@6.0.1 requires postcss@^7.0.36 via a transitive dependency on @vue/component-compiler-utils@3.3.0
vite@5.0.12 requires postcss@^8.4.32
@vitejs/plugin-vue2@2.3.1 requires postcss@^8.4.32 via vite@5.0.12
No patched version available for postcss
So right now we include postcss@7 and postcss@8.
Both requirements of postcss@7 come from @vue/component-compiler-utils@3.3.0 which should not be required anymore since vue 2.7. However we still require it due to the need for vue-loader@15 for using webpack with vue 2.
Looks like this might be the way forward:
- migrate to vite feat: Move to vite for bundling #5367
- drop vue-loader
- use vitest instead of vue2-jest
- 🎉 no more
@vue/component-compiler-utilsthus no more old postcss.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment