Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade css-select from ^3.1.2 to ^4.1.3 #1485

Merged
merged 2 commits into from
Jun 26, 2021
Merged

Upgrade css-select from ^3.1.2 to ^4.1.3 #1485

merged 2 commits into from
Jun 26, 2021
+26 −26

Conversation

ericcornelissen
Copy link
Contributor

@ericcornelissen ericcornelissen commented Jun 5, 2021
edited
Loading

Resolves #1488

This updates the css-select dependency from ^3.1.2 to ^4.1.2 in order to get the transitive dependency css-what updated to 5.0.1, which was vulnerable to ReDoS up-to-and-including 5.0.0. Given my understanding of SVGO, this means SVGO may be vulnerable as well when provided with a carefully crafted SVG containing CSS.

Alternatively, css-select can be set to as low as ^4.0.0 in order to get css-what updated to an appropriate version. I just set it to ^4.1.2 as that is the latest version as of opening this Pull Request.

As this concerns a vulnerable dependency that is also used in the latest SVGO v1, ideally SVGO v1 should also be patched. I'm not sure what the procedure is for updating SVGO v1 though...

@sgerrand
Copy link

sgerrand commented Jun 8, 2021

👋 @TrySound, are you able to review this change?

@mindctrl mindctrl mentioned this pull request Jun 8, 2021
Closed
@underoot
Copy link

underoot commented Jun 8, 2021
edited
Loading

It's worth also to upgrade it in 1.* version, because some of the projects depend on this version and it will be hard to upgrade it without breaking of API (i.e. look into gregberge/svgr#654)

@falgon falgon mentioned this pull request Jun 9, 2021
Closed
@zackdotcomputer
Copy link

zackdotcomputer commented Jun 9, 2021
edited
Loading

Noting that this "Resolves #1488" in the hopes that that magic phrase will close the issue when/if this get merged (I know that works if it's in the description of a PR, guess we'll find out if it works if its in a comment...)

Edit: RIP me - it doesn't

@zackdotcomputer
Copy link

FYI the breaking changes from css-select 3.1.2 -> 4.1.2 changelog (for someone with better knowledge of this codebase to be able to more easily review):

  • Several built-in pseudos are now stricter. This aligns them with the CSS spec, but might lead to changes in results.
  • In HTML, attributes are now automatically considered case-insensitive, based on the HTML spec. Some selectors might now match more elements.
  • Removed strict option.

@aleclarson
Copy link

@underoot This is a breaking change, as it affects CSS selectors in <style> elements, which requires svgo to bump to v3 major. Therefore, patching v1 is not viable.

@aleclarson
Copy link

For Yarn users (in your package.json):

"resolutions": {
  "**/css-what": "^5.0.0"
}

This should be safe to do, as it avoids any of the breaking changes introduced in css-select@4.

@ericcornelissen
Copy link
Contributor Author

This is a breaking change, as it affects CSS selectors in <style> elements, which requires svgo to bump to v3 major. Therefore, patching v1 is not viable.

Given that the changes are related to spec compliance (and the strict option doesn't seem to be used by SVGO) I'd be inclined to disagree. If you're using non-standard CSS selectors I think it's fair that SVGO doesn't support that out-of-the-box, and the fact that it did could be considered a bug. I think it's more important people on older versions of SVGO can easily update, than that a presumably small minority that uses non-standard selectors isn't bothered by an update.

Though of course it's up to the SVGO maintainers to decide.

Edit: RIP me - it doesn't

Did it for you 😉

@ludofischer ludofischer mentioned this pull request Jun 9, 2021
Merged
@midnight-wonderer midnight-wonderer mentioned this pull request Jun 12, 2021
Closed
@mischnic mischnic mentioned this pull request Jun 12, 2021
Closed
This was referenced Jun 12, 2021
Closed
Closed
@rejas rejas mentioned this pull request Jun 14, 2021
Closed
@vsumner vsumner mentioned this pull request Jun 14, 2021
Merged
4 tasks
@SymbioticKilla SymbioticKilla mentioned this pull request Jun 15, 2021
Closed
seahindeniz
seahindeniz reviewed Jun 17, 2021
View reviewed changes
package.json Outdated Show resolved Hide resolved
@ericcornelissen ericcornelissen changed the title Upgrade css-select from ^3.1.2 to ^4.1.2 Upgrade css-select from ^3.1.2 to ^4.1.3 Jun 17, 2021
@niji-vlebiannic niji-vlebiannic mentioned this pull request Jun 18, 2021
Closed
@carboneater carboneater mentioned this pull request Jun 18, 2021
Closed
@haesung3 haesung3 mentioned this pull request Jun 19, 2021
Closed
@chappjc chappjc mentioned this pull request Jun 21, 2021
Merged
This was referenced Jun 26, 2021
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Merged
Closed
Merged
@ericcornelissen ericcornelissen deleted the deps/update-css-select branch June 26, 2021 09:22
@zackdotcomputer zackdotcomputer mentioned this pull request Jun 26, 2021
Closed
ludofischer pushed a commit to cssnano/cssnano that referenced this pull request Jun 27, 2021
@sigveio
chore(deps): bump postcss-svgo dep of svgo from v2.3.0 to 2.3.1 (#1152)
ef098b1 
svgo version 2.3.1 bumps transitive dependency css-what from 4.x to 5.x to address a ReDoS security vulnerability present in versions prior to this. (See svg/svgo/pull/1485)
@ludofischer ludofischer mentioned this pull request Jun 27, 2021
Merged
This was referenced Jun 27, 2021
Merged
Merged
Merged
Merged
Merged
Closed
Open
Closed
@ericcornelissen
Copy link
Contributor Author

As this concerns a vulnerable dependency that is also used in the latest SVGO v1, ideally SVGO v1 should also be patched. I'm not sure what the procedure is for updating SVGO v1 though...

@TrySound, do you have any comment in this regard?

This was referenced Jul 4, 2021
Merged
Merged
Merged
Merged
This was referenced Jul 28, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joelpittet joelpittet joelpittet approved these changes

@tlusk tlusk tlusk approved these changes

@rejas rejas rejas approved these changes

@carboneater carboneater carboneater approved these changes

@silkfire silkfire silkfire approved these changes

@aleclarson aleclarson aleclarson approved these changes

@seahindeniz seahindeniz seahindeniz approved these changes

@felabr felabr felabr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

"High" Severity Audit from dependency css-select and css-what