Why cant I get the lastest version of postcss

769 views Asked by At

I'm using vue-cli which has the dependency of postcss.

When I run npm audit I get warnings that postcss has vulnerabilities and I have to upgrade to some newer version. How do I do this?

I tried npm update, npm update -D, npm update -D --depth=99. But it doesn't work.

I also tried to remove vue-cli, which completely removes everything from postcss (I checked it). But then when I install vue-cli again, the old version of postcss gets installed again.

I also checked what version of postcss is required by vue-cli, and it only has requirements that say higher than version ^7.0.3 or something. But it should by default install the latest version right?

I don't understand why npm is installing an old version and I also don't know how I can update it to the latest version.

This is the warning that I get.

┌───────────────┬─────────────────────────────────────────────────┐
│ Moderate................. │ Regular Expression Denial of Service                 
├───────────────┼─────────────────────────────────────────────────┤
│ Package.................... │ postcss                                              
├───────────────┼─────────────────────────────────────────────────┤
│ Patched in................ │ >=8.2.10                                             
├───────────────┼─────────────────────────────────────────────────┤
│ Dependency of....... │ @vue/cli-service                                     
├───────────────┼─────────────────────────────────────────────────┤
│ Path.......................... │ @vue/cli-service > postcss-loader > postcss  
├───────────────┼─────────────────────────────────────────────────┤
│ More info................. │ https://npmjs.com/advisories/1693                    
└───────────────┴─────────────────────────────────────────────────┘
1

There are 1 answers

0
Charlie On

Refering to this how to fix postcss vulnerability in reactjs there is mentioned that it is suggested to wait for maintainers to fix this issue. I'm also facing the same vulnerabilities with yarn audit...