Audit issues due to postcss version

[FBNitro]

Describe the bug

[ moderate ] Regular Expression Denial of Service in postcss
 vulnerable versions <8.2.13 found in:
 - dependencies: typescript-plugin-css-modules>postcss-filter-plugins>postcss
 - dependencies: typescript-plugin-css-modules>postcss-icss-keyframes>postcss
 - dependencies: typescript-plugin-css-modules>postcss-icss-keyframes>icss-utils>postcss
 - dependencies: typescript-plugin-css-modules>postcss-icss-selectors>postcss
 - dependencies: typescript-plugin-css-modules>postcss-icss-selectors>icss-utils>postcss

To Reproduce
execute yarn or npm audit

Expected behavior
A successful audit

Note: I realize that the postcss-filter-plugin/icss-* modules are way out of date that's the underlying cause... maybe there's another package this could move to.

[SukkaW]

Note it is not the issue of typescript-plugin-css-modules. It is postcss-icss-keyframes that relies on postcss@6.

[KenjiTakahashi]

FYI css-modules/postcss-icss-selectors#126
Looks like these libs are dead and should not be used.

[mrmckeb]

Thanks, I'll look at replacing this dependency.

[FBNitro]

#115 is now also causing audit issues because it is outdated.

[mrmckeb]

Deps are now updated and will be in the release today.

[FBNitro]

Sorry @mrmckeb it's still depending on postcss-icss-* and continues to fail audit checks with the latest version.

Can you reopen this please?

Version 4.1.1:

[critical] loader-utils: Prototype pollution in webpack loader-utils (1084924)
typescript-plugin-css-modules>postcss-icss-selectors>generic-names>loader-utils

As mentioned above, post-icss-selectors should not be used:
css-modules/postcss-icss-selectors#126

[mrmckeb]

Sorry, I was closing off a bunch of issues at once and didn't read the initial post in this issue correctly at the time (as I'd updated PostCSS).

Looking at the advisory, I don't think it is an immediate risk, but I understand the desire to deal with it ASAP:
GHSA-566m-qj78-rww5

This project predates the comment you mentioned, which is why it uses postcss-icss-selectors, however the refactor should allow us to remove that package.

Unfortunately this is a fairly big rewrite. I hope to have it finished, tested and shipped in the next few weeks. It looks like all of the packages you mentioned have been abandoned unfortunately, so I'll need to fork those or rewrite the functionality if I can't find suitable replacements.

[mrmckeb]

Looking at the plugins in more detail, I'm most concerned around postcss-filter-plugins which may be a feature we have to drop for now as there aren't any obvious replacements.

[GZLiew]

is this fix still ongoing ? do you need any help ? @mrmckeb

[243083df]

Can we just copy they sources and update deps like that css-modules/postcss-icss-selectors#128?
hey have MIT license.