0

When i run npm audit on my react project i get the following long list of issues.

# npm audit report

postcss  7.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1693
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/postcss
node_modules/resolve-url-loader/node_modules/postcss
  autoprefixer  9.0.0 - 9.8.6
  Depends on vulnerable versions of postcss
  node_modules/autoprefixer
  css-blank-pseudo  *
  Depends on vulnerable versions of postcss
  node_modules/css-blank-pseudo
  css-declaration-sorter  4.0.0 - 5.1.2
  Depends on vulnerable versions of postcss
  node_modules/css-declaration-sorter
    cssnano-preset-default  <=4.0.0-rc.2 || 4.0.1 - 4.0.8
    Depends on vulnerable versions of css-declaration-sorter
    Depends on vulnerable versions of cssnano-util-raw-cache
    Depends on vulnerable versions of postcss
    node_modules/cssnano-preset-default
  css-has-pseudo  *
  Depends on vulnerable versions of postcss
  node_modules/css-has-pseudo
    postcss-preset-env  >=6.0.0
    Depends on vulnerable versions of css-has-pseudo
    Depends on vulnerable versions of css-prefers-color-scheme
    Depends on vulnerable versions of postcss
    Depends on vulnerable versions of postcss-color-gray
    Depends on vulnerable versions of postcss-double-position-gradients
    node_modules/postcss-preset-env
  css-loader  2.0.0 - 4.3.0
  Depends on vulnerable versions of postcss
  node_modules/css-loader
    react-scripts  >=2.0.0-next.03604a46
    Depends on vulnerable versions of css-loader
    Depends on vulnerable versions of postcss-flexbugs-fixes
    Depends on vulnerable versions of resolve-url-loader
    node_modules/react-scripts
  css-prefers-color-scheme  *
  Depends on vulnerable versions of postcss
  node_modules/css-prefers-color-scheme
  cssnano  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.11
  Depends on vulnerable versions of postcss
  node_modules/cssnano
    optimize-css-assets-webpack-plugin  3.2.1 || 5.0.2 - 5.0.6
    Depends on vulnerable versions of cssnano
    node_modules/optimize-css-assets-webpack-plugin
  cssnano-util-raw-cache  >=4.0.1
  Depends on vulnerable versions of postcss
  node_modules/cssnano-util-raw-cache
  icss-utils  4.0.0 - 4.1.1
  Depends on vulnerable versions of postcss
  node_modules/icss-utils
    postcss-modules-local-by-default  2.0.0 - 4.0.0-rc.4
    Depends on vulnerable versions of icss-utils
    Depends on vulnerable versions of postcss
    node_modules/postcss-modules-local-by-default
    postcss-modules-values  2.0.0 - 4.0.0-rc.5
    Depends on vulnerable versions of icss-utils
    Depends on vulnerable versions of postcss
    node_modules/postcss-modules-values
  postcss-attribute-case-insensitive  4.0.0 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-attribute-case-insensitive
  postcss-browser-comments  2.0.0 - 3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-browser-comments
    postcss-normalize  7.0.0 - 9.0.0
    Depends on vulnerable versions of postcss
    Depends on vulnerable versions of postcss-browser-comments
    node_modules/postcss-normalize
  postcss-calc  6.0.2 - 7.0.5
  Depends on vulnerable versions of postcss
  node_modules/postcss-calc
  postcss-color-functional-notation  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-functional-notation
  postcss-color-gray  >=5.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-gray
  postcss-color-hex-alpha  4.0.0 - 6.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-hex-alpha
  postcss-color-mod-function  >=3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-mod-function
  postcss-color-rebeccapurple  >=4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-color-rebeccapurple
  postcss-colormin  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-colormin
  postcss-convert-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-convert-values
  postcss-custom-media  7.0.0 - 7.0.8
  Depends on vulnerable versions of postcss
  node_modules/postcss-custom-media
  postcss-custom-properties  8.0.0 - 10.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-custom-properties
  postcss-custom-selectors  5.0.0 - 5.1.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-custom-selectors
  postcss-dir-pseudo-class  >=5.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-dir-pseudo-class
  postcss-discard-comments  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-comments
  postcss-discard-duplicates  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-duplicates
  postcss-discard-empty  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-empty
  postcss-discard-overridden  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-overridden
  postcss-double-position-gradients  *
  Depends on vulnerable versions of postcss
  node_modules/postcss-double-position-gradients
  postcss-env-function  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-env-function
  postcss-flexbugs-fixes  4.0.0 - 4.2.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-flexbugs-fixes
  postcss-focus-visible  >=4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-focus-visible
  postcss-focus-within  >=3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-focus-within
  postcss-font-variant  4.0.0 - 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-font-variant
  postcss-gap-properties  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-gap-properties
  postcss-image-set-function  >=3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-image-set-function
  postcss-initial  3.0.0 - 3.0.4
  Depends on vulnerable versions of postcss
  node_modules/postcss-initial
  postcss-lab-function  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-lab-function
  postcss-loader  3.0.0 - 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-loader
  postcss-logical  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-logical
  postcss-media-minmax  4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-media-minmax
  postcss-merge-longhand  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.6 - 4.0.11
  Depends on vulnerable versions of postcss
  node_modules/postcss-merge-longhand
  postcss-merge-rules  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-merge-rules
  postcss-minify-font-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-font-values
  postcss-minify-gradients  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-gradients
  postcss-minify-params  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-params
  postcss-minify-selectors  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-selectors
  postcss-modules-extract-imports  2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-extract-imports
  postcss-modules-scope  2.0.0 - 2.2.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-scope
  postcss-nesting  7.0.0 - 7.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-nesting
  postcss-normalize-charset  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-charset
  postcss-normalize-display-values  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-display-values
  postcss-normalize-positions  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-positions
  postcss-normalize-repeat-style  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-repeat-style
  postcss-normalize-string  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-string
  postcss-normalize-timing-functions  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-timing-functions
  postcss-normalize-unicode  <=4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-unicode
  postcss-normalize-url  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-url
  postcss-normalize-whitespace  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-whitespace
  postcss-ordered-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-ordered-values
  postcss-overflow-shorthand  >=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-overflow-shorthand
  postcss-page-break  2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-page-break
  postcss-place  >=4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-place
  postcss-pseudo-class-any-link  >=6.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-pseudo-class-any-link
  postcss-reduce-initial  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-reduce-initial
  postcss-reduce-transforms  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-reduce-transforms
  postcss-replace-overflow-wrap  3.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-replace-overflow-wrap
  postcss-selector-matches  >=4.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-selector-matches
  postcss-selector-not  4.0.0 - 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-selector-not
  postcss-svgo  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-svgo
  postcss-unique-selectors  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-unique-selectors
  resolve-url-loader  3.0.0-alpha.1 - 4.0.0
  Depends on vulnerable versions of postcss
  node_modules/resolve-url-loader
  stylehacks  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/stylehacks

80 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Now when i run npm audit fix not a single one of them get fixed. I noticed most of them were caused by postcss so i went in and manually re-wrote the version in packages-locked.json so it would use the latest version of postcss but this just caused the whole thing to stop working. what do i do ?? do i just leave it like this? feels like a lot of issues to just leave.

Improve this question
4
  • Output says use npm audit fix --force. Commented May 22, 2021 at 23:03
  • 1
    doing that breaks even more things. then i u fix that by doing audit fix --force again and it basically brings us back to this exact logg Commented May 22, 2021 at 23:05
  • update postcss to >=8.2.10 Commented May 22, 2021 at 23:35
  • 3
    This question is similar to: postcss 7.0.0 - 8.2.9 Severity: moderate Regular Expression Denial of Service. If you believe it’s different, please edit the question, make it clear how it’s different and/or how the answers on that question are not helpful for your problem. Commented May 22 at 0:25

1 Answer 1

Reset to default
3

I had posed this question couple of weeks ago here.

You can overcome this by forcing a resolution of postcss to ^8.2.10 temporarily. I wouldn't anyway worry much as a patch is being done as we speak, so it's just going to be a matter of time before it gets resolved.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.