[Security] Bump @adobe/css-tools from 4.0.1 to 4.3.1 in /assets (!187) · Merge requests · Up Learn / Admin Elf

Dependabot Zahir's Email requested to merge dependabot-npm_and_yarn-assets-adobe-css-tools-4.3.1 into master Nov 20, 2023

Bumps @adobe/css-tools from 4.0.1 to 4.3.1. This update includes a security fix.

Vulnerabilities fixed

@adobe/css-tools Regular Expression Denial of Service (ReDOS) while Parsing CSS

Impact

@adobe/css-tools version 4.3.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS.

Patches

The issue has been resolved in 4.3.1.

Workarounds

None

References

N/A

Patched versions: 4.3.1 Affected versions: < 4.3.1

Changelog

Sourced from @adobe/css-tools's changelog.

4.3.1 / 2023-03-14

Fix redos vulnerability with specific crafted css string - CVE-2023-26364

4.3.0 / 2023-03-07

Update build tools

Update exports path and files

4.2.0 / 2023-02-21

Add @container support

Add @layer support

4.1.0 / 2023-01-25

Support ESM Modules

4.0.2 / 2023-01-12

#71 : @import does not work if url contains ';'

#77 : Regression in selector parsing: Attribute selectors not parsed correctly

Commits

See full diff in compare view

[Security] Bump @adobe/css-tools from 4.0.1 to 4.3.1 in /assets

Impact

Patches

Workarounds

References

4.3.1 / 2023-03-14

4.3.0 / 2023-03-07

4.2.0 / 2023-02-21

4.1.0 / 2023-01-25

4.0.2 / 2023-01-12

Merge request reports