Vulnerable dependency lilconfig@2.1.0 in pnpm-lock.yaml

[JackMcBride98]

It's odd that there are two versions of lilconfig in the pnpm-lock.yaml

Versions before 3.1.1 are vulnerable to "Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function"
src

Having cloned the repo and looked at the git history it appears this was caused by PR #14769 @adamwathan

The project I'm working on has strict security requirements, so would appreciate if this could get fixed :)

Thanks for all your hard work. Absolutely love tailwindcss 😍

[thecrypticace]

This is incorrect. lilconfig@2.1.0 is not vulnerable.

From the CVE you provided — emphasis mine:

Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution

This means the vulnerability was introduced in 3.1.0 and addressed in 3.1.1. So v3.1.0 is the only vulnerable version.

Here's the release (v3.1.0) that added ESM support via dynamic import which transpiled to an eval(…) in CJS:
https://github.com/antonk52/lilconfig/releases/tag/v3.1.0

You can see the published source here:
https://unpkg.com/lilconfig@3.1.0/dist/index.js

Here's the release (v3.1.1) that fixed it
https://github.com/antonk52/lilconfig/releases/tag/v3.1.1

You can see the published source here (no dist because its no longer compiled):
https://unpkg.com/browse/lilconfig@3.1.1/src/index.js

For completeness you can see the source of 2.1.0 — which as you can see has no presence of eval and (is not subject to the CVE anyway):
https://unpkg.com/lilconfig@2.1.0/dist/index.js

Additionally, these are development dependencies and don't affect production installs so even if it were present this would only appear on a machine in which you cloned the tailwindcss git repo to.

[JackMcBride98]

Ahh thanks for checking that for me.

I've raised with Sonatype that this package is being shown as vulnerable incorrectly. Hopefully they will resolve the issue on their end.

Thanks again :)