Uploaded image for project: 'Ibexa IBX'
  1. Ibexa IBX
  2. IBX-7611

[DAM] Bump version for webpack and sass-loader

    XMLWordPrintable

Details

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: High High
    • 4.5.6, 4.6.1
    • 4.5.4
    • None
    • None

    Description

      DAM specifies "postcss-loader": "^4.3.0" in https://github.com/ibexa/dam/blob/7907aa9174d0c6d9231476c2bf08cc131d3cbb7a/package.json#L16

      There is a known vulnerability in postcss versions below 8.4.31 (postcss itself, not -loader). The newest version that can be installed is 7.0.36 due to other dependencies:
      @symfony/webpack-encore@1.8.2 requires postcss@7.0.36 via a transitive dependency on resolve-url-loader@3.1.5
      https://github.com/ibexa/dam/security/dependabot/1

      We should resolve the dependency chain issues so we can get an updated postcss. It seems we need to bump webpack-encore to at least v2, to avoid the hardcoded postcss version in resolve-url-loader.

      There are no known or suspected ways to exploit this in the DXP, hence making it public.

      Designs

        Attachments

          Activity

            People

              Unassigned Unassigned
              gunnstein.lye@ibexa.co Gunnstein Lye
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: