3

NPM Audit shows there is a low level vulnerability in clean-css that is patched in >= 4.1.11.

               === npm audit security report ===                        

                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             

      Visit https://go.npm.me/audit-guide for additional guidance           

Low             Regular Expression Denial of Service                          

Package         clean-css                                                     

Patched in      >=4.1.11                                                      

Dependency of   ember-cli [dev]                                               
              broccoli-clean-css > clean-css-promise > clean-css            

More info       https://npmjs.com/advisories/785

Running NPM list clean-css shows the following result:

+-- clean-css@4.2.3
`-- ember-cli@3.16.0
  `-- ember-cli-preprocess-registry@3.3.0
    `-- broccoli-clean-css@1.1.0
      `-- clean-css-promise@0.1.1
        `-- clean-css@3.4.28

How do I update this package?

Diagnostics:

Running npm audit fix does not work.

Running npm outdated does not work because there are no results.

Running the following does not work:

ncu -u
npm update
npm install

Running the following does not work:

Running the following does not work:

npm update --save-dev clean-css-promise
npm update --save-dev broccoli-clean-css
npm update --save-dev clean-css-promise
npm install
J Weezy
  • 3,507
  • 3
  • 32
  • 88
  • 2
    You need to wait until the relevant packages declare their compatibility with it. In the meantime, ignore it – it’s only a vulnerability if you’re using clean-css on user input, which you’re probably not. – Ry- Mar 19 '20 at 19:25

1 Answers1

3

So there may be nothing you can do about it, you're at the mercy of your dependencies' dependencies.

You can only update the ones you're in control of, which in this case is ember-cli. If you can't update that, or are at the most updated version, then you're stuck waiting on other package maintainers to fix it in their dependencies (and ember-cli is stuck waiting if they need those packages, and so on down the tree).

In the meantime, chill as one of the comments suggested.

Adam Jenkins
  • 51,445
  • 11
  • 72
  • 100
  • I see. I wasn't sure if there was something that I needed to go in and change myself. I will wait for future releases to update their dependencies. I cannot grant bounty as of yet - apparently SO wants it to bake in order to give others the opportunity to chime in. – J Weezy Mar 19 '20 at 19:31