Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace url-regex and is-url-superb with custom implementation #120

Closed
richardowen opened this issue Jul 8, 2020 · 6 comments
Closed

Replace url-regex and is-url-superb with custom implementation #120

richardowen opened this issue Jul 8, 2020 · 6 comments
Labels
s² 🔥🔥 important t³ ✨ enhancement

Comments

@richardowen
Copy link

Feature Use Case

There is an open security vulnerability in url-regex (kevva/url-regex#70) and no patch available. The url-regex dependency isn't actually used by this package but even if it was removed, it would still be required further down the dependency tree by is-url-superb. It has been removed as a dependency of that package but upgrading isn't an option as that package now doesn't class protocol-relative URLs as valid. Protocol-relative URLs are valid in CSS so we want to allow them in this package. See #119 for more discussion.

Feature Proposal

  • Implement a new isUrl check in this package
    • This could use the Node.js URL class for the bulk of validation but also needs to allow protocol-relative URLs (not allowed by the URL class)
  • Remove the is-url-superb and url-regex dependencies
This was referenced Aug 17, 2020
Closed
Closed
@jhuesos
Copy link

jhuesos commented Aug 19, 2020

As a workaround, maybe it could be an option to replace url-regex with url-regex-safe which fixes the issue and I think its API is fully compatible?

jhuesos added a commit to jhuesos/jvega.dev that referenced this issue Aug 19, 2020
@jhuesos
ci(deps): update dependencies
0188750 
This solves some security issues. Only one remain:
shellscape/postcss-values-parser#120
@shellscape
Copy link
Owner

@jhuesos looks good 👍

@richardowen
Copy link
Author

@jhuesos Yes that sounds good.

Note that url-regex isn't actually used in this package right now (although it is a direct dependency so that needs removing). This package uses is-url-superb so the change would need to be replacing is-url-superb with an implementation which uses url-regex-safe.

@Hypnosphi

This comment has been minimized.

Sign in to view
@Hypnosphi Hypnosphi mentioned this issue Aug 31, 2020
Closed
@richardowen
Copy link
Author

@Hypnosphi Unfortunately upgrading to that version isn't an option here because the new version doesn't class protocol-relative URLs as valid. See the original comment on this issue for more.

@AndersCan AndersCan mentioned this issue Sep 16, 2020
Merged
8 tasks
@davilima6
Copy link

Can be closed after #125

@davilima6 davilima6 mentioned this issue Sep 17, 2020
Merged
Semigradsky pushed a commit to postcss/postcss-custom-properties that referenced this issue Sep 18, 2020
@davilima6
feat: upgrade postcss-values-parser to version without high risk vuln…
b686923 
…ererability (#228)

see:
- https://www.npmjs.com/advisories/1550
- shellscape/postcss-values-parser#120
romainmenke pushed a commit to csstools/postcss-plugins that referenced this issue Dec 15, 2021
@davilima6 @romainmenke
feat: upgrade postcss-values-parser to version without high risk vuln…
a8fa50e 
…ererability (postcss/postcss-custom-properties#228)

see:
- https://www.npmjs.com/advisories/1550
- shellscape/postcss-values-parser#120
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
s² 🔥🔥 important t³ ✨ enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@shellscape @jhuesos @davilima6 @richardowen @Hypnosphi