Nx
Enterprise
Nx
Sign in / Sign up
Open main menu
Nx
GitHub
Overview
Runs
Analytics
Loading workspace stats
Loading workspace insights...
Statistics interval
7 days
30 days
Latest CI Pipeline Executions
Status
Fix filter
Filter
Fuzzy
Filter range
Sort by
Sort by
Start time
Sort ascending
Sort descending
Succeeded
22.7.0-beta.8
63a8f27e fix(webpack): bump postcss-loader to ^8.2.1 to eliminate transitive yaml@1.x CVE (#35028) ## Current Behavior `@nx/webpack` depends on `postcss-loader@^6.1.1`, which pulls in `cosmiconfig@7` → `yaml@1.x`. The `yaml@1.x` package has a known stack overflow vulnerability ([GHSA-48c2-rrv3-qjmp](https://github.com/advisories/GHSA-48c2-rrv3-qjmp)). ## Expected Behavior By bumping `postcss-loader` to `^8.2.1`, the transitive dependency chain is eliminated entirely — `postcss-loader@8` uses `cosmiconfig@9`, which no longer depends on `yaml` at all. This is a cleaner fix than applying a `pnpm.overrides` workaround. The upgrade is safe because: - `postcss-loader@8` peer deps (`postcss ^7||^8`, `webpack ^5`) are unchanged - The `implementation` option and function-based `postcssOptions` API used by `@nx/webpack` are fully supported in v8 - Nx already requires Node 18+, matching postcss-loader@8's engine requirement ## Related Issue(s) Fixes #35025
18 days ago
by Robert Sid...
R
Previous page
Previous
Next
Next page