Bump clean-css from 3.4.28 to 4.1.11 #343
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
|
FWIW - I spent more time than I should've trying to address insecure dependencies here the other day, so I think this is just the tip of the iceberg |
|
Prolly. |
|
👎 This doesn't build |
At some point we should add CI checks for this code base. |
yeah. I'm not super worried about fixing the vulns, since it's only used at build time, but not getting stale would be nice. |
Bumps [clean-css](https://github.com/jakubpawlowicz/clean-css) from 3.4.28 to 4.1.11. - [Release notes](https://github.com/jakubpawlowicz/clean-css/releases) - [Changelog](https://github.com/jakubpawlowicz/clean-css/blob/master/History.md) - [Commits](clean-css/clean-css@v3.4.28...v4.1.11) Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/clean-css-4.1.11
branch
from
2fcd91f
to
0d36ed9
Compare
|
nudge |
|
@its-a-lisa it's unlikely we're going to fix this anytime soon because it's going to require substantial effort to fix a build-time library, this isn't a vulnerability which is exposed to end users. This vulnerability only happens when the site is being built and not when it's deployed, so it's both low-risk and low priority. // cc @pburkholder |
|
We can archive this repo. The 18F is working on re-implementing the design with USWDS 2.0 |
|
Thanks @eddietejeda, archiving. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
Bumps clean-css from 3.4.28 to 4.1.11.
Changelog
Sourced from clean-css's changelog.
Commits
7812d59Version 4.1.11.0440b4aFixes ReDOS vulnerabilities.c601ebdVersion 4.1.10.9e0a38eFixes #1006 - handling invalid input source maps.913d72cFixes #1008 - edge case in breaking upfont.bedd8a9Adds @abarre fix to #1001 to release notes.e944a2b#1001 Fix corrupted state of tokenizer (#1010)8be4084Fixes #989 - edge case in removing unused at-rules.21a5df0Fixes #988 - edge case in droppinganimation-duration.5f6cbc6Version 4.1.9.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot ignore this [patch|minor|major] versionwill close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)@dependabot use these labelswill set the current labels as the default for future PRs for this repo and language@dependabot use these reviewerswill set the current reviewers as the default for future PRs for this repo and language@dependabot use these assigneeswill set the current assignees as the default for future PRs for this repo and language@dependabot use this milestonewill set the current milestone as the default for future PRs for this repo and language