npm audit fails due to postcss #6467
Description
Version
5.0.0-beta.0
Environment info
Environment Info:
System:
OS: Windows 10 10.0.19042
CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
Binaries:
Node: 15.6.0 - C:\Program Files\nodejs\node.EXE
Yarn: 1.22.5 - C:\Program Files (x86)\Yarn\bin\yarn.CMD
npm: 7.11.1 - C:\Program Files\nodejs\npm.CMD
Browsers:
Chrome: 90.0.4430.93
Edge: Spartan (44.19041.964.0), Chromium (90.0.818.56)
npmPackages:
@vue/babel-helper-vue-jsx-merge-props: 1.2.1
@vue/babel-helper-vue-transform-on: 1.0.2
@vue/babel-plugin-jsx: 1.0.6
@vue/babel-plugin-transform-vue-jsx: 1.2.1
@vue/babel-preset-app: 5.0.0-beta.0
@vue/babel-preset-jsx: 1.2.4
@vue/babel-sugar-composition-api-inject-h: 1.2.1
@vue/babel-sugar-composition-api-render-instance: 1.2.4
@vue/babel-sugar-functional-vue: 1.2.2
@vue/babel-sugar-inject-h: 1.2.2
@vue/babel-sugar-v-model: 1.2.3
@vue/babel-sugar-v-on: 1.2.3
@vue/cli-overlay: 5.0.0-beta.0
@vue/cli-plugin-babel: ~5.0.0-beta.0 => 5.0.0-beta.0
@vue/cli-plugin-eslint: ~5.0.0-beta.0 => 5.0.0-beta.0
@vue/cli-plugin-router: 5.0.0-beta.0
@vue/cli-plugin-vuex: 5.0.0-beta.0
@vue/cli-service: ~5.0.0-beta.0 => 5.0.0-beta.0
@vue/cli-shared-utils: 5.0.0-beta.0
@vue/compiler-core: 3.0.11
@vue/compiler-dom: 3.0.11
@vue/compiler-sfc: ^3.0.4 => 3.0.11
@vue/compiler-ssr: 3.0.11
@vue/component-compiler-utils: 3.2.0
@vue/reactivity: 3.0.11
@vue/runtime-core: 3.0.11
@vue/runtime-dom: 3.0.11
@vue/shared: 3.0.11
@vue/web-component-wrapper: 1.3.0
eslint-plugin-vue: ^7.2.0 => 7.9.0
vue: ^3.0.4 => 3.0.11
vue-eslint-parser: 7.6.0
vue-hot-reload-api: 2.3.4
vue-loader: 16.2.0 (15.9.6)
vue-style-loader: 4.1.3
vue-template-es2015-compiler: 1.9.1
npmGlobalPackages:
@vue/cli: Not Found
Steps to reproduce
vue create somethingnpm auditcomplains:
# npm audit report
postcss 7.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1693
fix available via `npm audit fix --force`
Will install @vue/cli-service@3.3.1, which is a breaking change
node_modules/@vue/component-compiler-utils/node_modules/postcss
@vue/component-compiler-utils >=2.4.0
Depends on vulnerable versions of postcss
node_modules/@vue/component-compiler-utils
@vue/cli-service >=3.4.0
Depends on vulnerable versions of @vue/component-compiler-utils
Depends on vulnerable versions of vue-loader-v15
node_modules/@vue/cli-service
vue-loader-v15
Depends on vulnerable versions of @vue/component-compiler-utils
node_modules/vue-loader-v15
4 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
What is expected?
npm audit does not return an error
What is actually happening?
npm audit returns an error