TailwindCSS depends on an outdated version of postcss-load-config

[dykatz]

TailwindCSS depends on yaml indirectly through postcss-load-config. This CVE was released earlier today, and was patched in yaml@2.2.2. It can be used by postcss-load-config@4.0.1, but tailwind depends on postcss-load-config@^3.1.4. This is causing our static analysis tools to yell at us.

[RicardoAALL]

Yes, same here. Don't know if this is helpful but here is the output from npm audit

# npm audit report

yaml  <2.2.2
Severity: moderate
Uncaught Exception in yaml - https://github.com/advisories/GHSA-f9xv-q969-pqx4
fix available via `npm audit fix --force`
Will install tailwindcss@2.2.2, which is a breaking change
node_modules/yaml
  postcss-load-config  3.1.0 - 3.1.4
  Depends on vulnerable versions of yaml
  node_modules/postcss-load-config
    tailwindcss  <=0.0.0-oxide-insiders.ff2c25f || >=2.2.3
    Depends on vulnerable versions of postcss-load-config
    node_modules/tailwindcss

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force 

[zackfencedev]

Can confirm issue has started today for me as well on all my builds. Attempting to fix downgrades me to version 2.2.2.

[joaoguidev]

Same here.

[Arielle-Web]

same problem for me

[semy]

Same here

[alex-r-redfern]

Ditto. There is a patch available on the main branch of postcss-load-config if that helps? (see the link in this issue thread: postcss/postcss-load-config#242)

[marketsystems]

yeah the error is coming from tailwind, you need to update the postcss-load-config dependency which has already been patched to use yaml 2.2.2

[thecb4]

Downgrading didn't help me. And using with SvelteKit to produce a static page is blocked. None of the browsers will load the offending code in a production environment.

[yp717]

This is still an issue on our end too!

[reinink]

Hey folks!

So the issue here, as suggested, is that we're still using an older version of postcss-load-config. The reason for this is because we still supported Node.js v12, meaning we could not upgrade it to a newer version. While technically this CVE is not really relevant to a build-time project like Tailwind, it does cause warnings when using tools like npm audit.

Fixing this means updating our minimum Node version requirement, which is something we were hoping to avoid until the next major version of the project. However, this issue has forced our hand, and you'll see in #11089 that we've now dropped support for Node.js v12 and have updated any dependencies that were locked to older versions to their latest releases.

These changes eliminate the postcss-load-config security warning but do make Node.js v14 the new minimum version requirement for Tailwind CSS.

We've just published a new release that includes this fix — v3.3.2. Here's how to upgrade:

npm install tailwindcss@latest

We've tested this already using npm audit, and it appears to resolve this problem. Please let us know if you bump into any subsequent issues, as we updated a bunch of dependencies as part of this change.

@dykatz Thanks so much for reporting this issue! 🙏