Description
Hi, @NMFR, I stumbled upon a vulnerability introduced by package css-what@3.4.2:
Issue Description
When I build my project, I note that optimize-css-assets-webpack-plugin@5.0.8 transitively depends on css-what@3.4.2. However, the vulnerability CVE-2021-33587 has been detected in package css-what<5.0.1.
As far as I aware, optimize-css-assets-webpack-plugin@5.0.8 is so popular that a large number of projects depend on it (476,014 downloads per week, about 1,868 downstream projects, e.g., @rails/webpacker 5.4.0, @expo/webpack-config 0.12.82, expo-cli 4.7.3, vuepress 1.8.2, @vuepress/core 1.8.2, @moneygeek/ui-components 1.122.0, imui 2.1.1, maga-components 1.0.0-beta.4, etc.)
In this case, the vulnerability CVE-2021-33587 can be propagated into these downstream projects and expose security threats to them.
As you can see, optimize-css-assets-webpack-plugin@5.0.8 is introduced into the above projects via the following package dependency paths:
(1)@moneygeek/ui-components@1.122.0 ➔ docz@2.3.1 ➔ gatsby@2.32.13 ➔ optimize-css-assets-webpack-plugin@5.0.8 ➔ cssnano@4.1.11 ➔ cssnano-preset-default@4.0.8 ➔ postcss-svgo@4.0.3 ➔ svgo@1.3.2 ➔ css-select@2.1.0 ➔ css-what@3.4.2
(2)imui@2.1.1 ➔ docz@2.3.1 ➔ gatsby@2.32.13 ➔ optimize-css-assets-webpack-plugin@5.0.8 ➔ cssnano@4.1.11 ➔ cssnano-preset-default@4.0.8 ➔ postcss-svgo@4.0.3 ➔ svgo@1.3.2 ➔ css-select@2.1.0 ➔ css-what@3.4.2
(3)maga-components@1.0.0-beta.41 ➔ docz@2.3.1 ➔ gatsby@2.32.13 ➔ optimize-css-assets-webpack-plugin@5.0.8 ➔ cssnano@4.1.11 ➔ cssnano-preset-default@4.0.8 ➔ postcss-svgo@4.0.3 ➔ svgo@1.3.2 ➔ css-select@2.1.0 ➔ css-what@3.4.2
......
I know that it’s kind of you to have removed the vulnerability since optimize-css-assets-webpack-plugin@6.0.0.
But, in fact, the above large amount of downstream projects cannot easily upgrade optimize-css-assets-webpack-plugin from version 5.0.8 to (>=6.0.0):
The projects such as docz, which introduced optimize-css-assets-webpack-plugin@5.0.8, are not maintained anymore. These unmaintained packages can neither upgrade optimize-css-assets-webpack-plugin nor be easily migrated by the large amount of affected downstream projects.
Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package optimize-css-assets-webpack-plugin@5.0.8?
Suggested Solution
Since these inactive projects set a version constaint 5.0.* for optimize-css-assets-webpack-plugin on the above vulnerable dependency paths, if optimize-css-assets-webpack-plugin removes the vulnerability from 5.0.8 and releases a new patched version optimize-css-assets-webpack-plugin@5.0.9, such a vulnerability patch can be automatically propagated into the downstream projects.
The simplest way to remove the vulnerability is to perform the following upgrade in optimize-css-assets-webpack-plugin@5.0.9:
cssnano ^4.1.10 ➔ ^5.0.0;
Note:
cssnano@5.0.0(>=5.0.0-rc.0) transitively depends on css-what@5.0.1 which has fixed the vulnerability (CVE-2021-33587).
Of course, you are welcome to share other ways of dealing with the issue.
Thank you for your attention to this issue.
Best regards,
Paimon ^_^