Scripts: Update PostCSS minimum version to ensure it is secure (#31685)

WordPress · May 11, 2021 · 4a0fada · 4a0fada
1 parent c1134bb
commit 4a0fada
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 14 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -185,7 +185,7 @@
 		"nock": "12.0.3",
 		"node-watch": "0.7.0",
 		"patch-package": "6.2.2",
-		"postcss": "8.2.2",
+		"postcss": "8.2.15",
 		"postcss-loader": "4.2.0",
 		"prettier": "npm:[email protected]",
 		"progress": "2.0.3",

diff --git a/packages/scripts/CHANGELOG.md b/packages/scripts/CHANGELOG.md
@@ -14,6 +14,12 @@
 -   Have the `format` command ignore files listed in a `.prettierignore` file, add a fallback `.prettierignore` to the package ([30844](https://github.com/WordPress/gutenberg/pull/30844)).
 -   The e2e tests are now using [`jest-circus`](https://github.com/facebook/jest/tree/master/packages/jest-circus) as the test runner. This enable us to capture screenshots at the time the tests failed. The unit tests are also using the same test runner for consistency ([#28449](https://github.com/WordPress/gutenberg/pull/28449), [#31178](https://github.com/WordPress/gutenberg/pull/31178)).
 
+### Security Fix
+
+-   Update `postcss` dependency to the latest patch version. Versions before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing ([#31685](https://github.com/WordPress/gutenberg/pull/31685)).
+
+## 15.0.1 (2021-04-30)
+
 ### Bug Fix
 
 -   Add `postcss` as a dependency to ensure that the correct version gets installed.

diff --git a/packages/scripts/package.json b/packages/scripts/package.json
@@ -66,7 +66,7 @@
 		"mini-css-extract-plugin": "^1.3.9",
 		"minimist": "^1.2.0",
 		"npm-package-json-lint": "^5.0.0",
-		"postcss": "^8.2.2",
+		"postcss": "^8.2.15",
 		"postcss-loader": "^4.2.0",
 		"prettier": "npm:[email protected]",
 		"puppeteer-core": "^9.0.0",