Closed
Description
Describe the bug
https://github.com/nextcloud/text/security/dependabot/42 reports a regexp DOS in postcss 7.x
We actually have conflicting requirements here:
@vue/[email protected] requires postcss@^7.0.36 via @vue/[email protected]
@nextcloud/[email protected] requires postcss@^7.0.36 via a transitive dependency on @vue/[email protected]
[email protected] requires postcss@^8.4.32
@vitejs/[email protected] requires postcss@^8.4.32 via [email protected]
No patched version available for postcss
So right now we include postcss@7 and postcss@8.
Both requirements of postcss@7 come from @vue/[email protected] which should not be required anymore since vue 2.7. However we still require it due to the need for vue-loader@15 for using webpack with vue 2.
Looks like this might be the way forward:
- migrate to vite feat: Move to vite for bundling #5367
- drop vue-loader
- use vitest instead of vue2-jest
- 🎉 no more
@vue/component-compiler-utilsthus no more old postcss.