react-scripts is using postcss@^7.0.35 which has security vulnerability

[biaoqiu]

react-scripts@5.0.1 requires postcss@^7.0.35 via a transitive dependency on resolve-url-loader@4.0.0

I see the latest version of resolve-url-loader is 5.x, and it depends on postcss@8.x. So can we update resolve-url-loader to a non-vulnerable version? Thank you!

[JcPires]

A link to the CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-44270

[Dror-Bar]

I had to use overrides in my package.json to overcome there errors:

  "overrides": {
    "nth-check": "https://registry.npmjs.org/nth-check/-/nth-check-2.1.1.tgz",
    "postcss": "https://registry.npmjs.org/postcss/-/postcss-8.4.31.tgz"
  }

However the dependency should be updated in the main branch

[AnaisUrlichs]

@Dror-Bar thank you, you are going to be in my video on using Trivy to fix vulnerabilities with this suggestion -- Thank you!!!

[HiickFG]

I made this PR: #13778

It involves updating the resolve-url-loader to ^5.x as part of the vulnerability solution.