Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix CVE-2021-23368,CVE-2021-23382, CVE-2021-33502 #11398

Open
wants to merge 8 commits into
base: 3.x
Choose a base branch
from

Conversation

HaishengLiang
Copy link

bump normalize-url to 4.5.1
bump postcss to 7.0.39

@fz6m
Copy link
Contributor

fz6m commented Jul 10, 2023

这些都是本地构建过程用的工具,不会带到产物代码里,本地默认都是开发者安全的,除非本地已经被入侵不安全了,修复价值不大。

比如 vscode 在你添加代码文件目录的时候还会警告你是否信任,不安全的提示,价值不大。

一般在 postinstall 恶意执行脚本,或者特别严重的 webpack 任意代码执行漏洞才会修复。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants