Critical - Command Injection

[MichaelFBA]

When doing an npm audit

It says not to use this plugin because of its deep deps on macaddress

https://nodesecurity.io/advisories/654

Critical      │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ macaddress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ optimize-css-assets-webpack-plugin [dev]                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ optimize-css-assets-webpack-plugin > cssnano >               │
│               │ postcss-filter-plugins > uniqid > macaddress                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/654

[luizgrs]

scravy/node-macaddress#19

They are trying to find someone to accept the PR...

[NMFR]

Waiting for the PR or an alternative package.

[NMFR]

Seems that postcss-filter-plugins dropped the dependency with the vulnerability in version 3.0.1 but cssnano does not have this updated in any stable release.

[pldg]

Update cssnano solve the problem, macaddress is no more a dependency (try search for it in node_modules)

[NMFR]

What version of cssnano? I was trying to stay away from the release candidate versions (aka version 4 right now) given they are not yet marked as stable.

[pldg]

@NMFR Version 3.10.0. Try to run npm i -D cssnano, should solve the problem. To check for vulnerability use npm audit, also manually search macaddress in node_modules