Potential vulnerability in package rollup-plugin-postcss

[paimon0715]

Hi, @egoist @SASUKE40,

Issue Description

I noticed that there is a vulnerability introduced in [email protected]:
As far as I am aware, vulnerability CVE-2021-33587 affects package css-what (versions:<5.0.1):https://snyk.io/vuln/SNYK-JS-CSSWHAT-1298035
Unfortunately, [email protected] transitively depends on the vulnerable package via:
[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected]

[email protected] is so popular that lots of downstream projects depend on it (34,859 downloads per week, and about 359 downstream projects, e.g., microbundle 0.13.3 (latest version), @backstage/cli 0.7.3 (latest version), @types/rollup-plugin-postcss 3.1.4 (latest version), @nstudio/web 12.5.1 (latest version), @nstudio/web-angular 12.5.1 (latest version)), the vulnerability CVE-2021-33587 can be propagated into these downstream projects and expose security threats to them via the following package dependency paths:
(1) @1stg/[email protected] ➔ @pkgr/[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected]
......

If you remove the vulnerable package from [email protected], then its fixed version can help downstream users decrease their pain.

Given the large number of downstream users, could you help update your package to remove the vulnerability from [email protected] ?

Fixing suggestions

In [email protected].*, you can kindly perform the following upgrade :
cssnano ^4.1.10 ➔ ^5.0.0;

Note:
[email protected](>=5.0.0-rc.0) transitively depends on [email protected] which has fixed the vulnerability (CVE-2021-33587).
If you have any other ways to resolve the issue, you are welcome to share with me.^_^

Thanks again for your contributions to the downstream users!

Best regards,
Paimon

[paimon0715]

@SASUKE40 Thanks for your understanding and help.