Critical vulnerability in css-loader@0.28.11 - retire.js

Retire.js identifies a critical vulnerability when scanning projects with css-loader as dependency.

`Retire.js Report`:
`   "results": [
      {
        "component": "macaddress",
        "version": "0.2.8",
        "parent": {
          "component": "uniqid",
          "version": "4.1.1",
          "parent": {
            "component": "postcss-filter-plugins",
            "version": "2.0.2",
            "parent": {
              "component": "cssnano",
              "version": "3.10.0",
              "parent": {
                "component": "css-loader",
                "version": "0.28.11"
                "level": 1
              },
              "level": 2
            },
            "level": 3
          },
          "level": 4
        },
        "level": 5,
        "vulnerabilities": [
          {
            "info": [
              "https://hackerone.com/reports/319467"
            ],
            "severity": "critical",
            "identifiers": {
              "summary": "Command Injection"
            }
          }
        ]
      }
    ]`

This vulnerability comes from one of the module subdependencies - **macddress**

`npm ls macaddress`
entitlements-ui@0.0.1 /Users/tpopov/Work/PlatformUI
└─┬ css-loader@0.28.11
  └─┬ cssnano@3.10.0
    └─┬ postcss-filter-plugins@2.0.2
      └─┬ uniqid@4.1.1
        └── macaddress@0.2.8 


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Critical vulnerability in [email protected] - retire.js #732

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Critical vulnerability in [email protected] - retire.js #732

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions