`@remotion/bundler`: Fork and inline css-loader, resolving security vulnerability by JonnyBurger · Pull Request #6883 · remotion-dev/remotion

JonnyBurger · 2026-03-20T09:12:36Z

Summary

Replaces the css-loader npm dependency with a stripped-down fork at packages/bundler/css-loader/
Keeps only what Remotion actually uses: url() handling and @import processing
Removes CSS Modules, ICSS, schema-utils validation, and semver checks
Net removal of 8 transitive dependencies (css-loader, schema-utils, semver, icss-utils, postcss-modules-values, postcss-modules-local-by-default, postcss-modules-extract-imports, postcss-modules-scope)

Test plan

All 5 bundler tests pass
Full repo build (65 packages) succeeds
Smoke test: all forked modules load correctly
Manual test: verify CSS loading works in Remotion Studio (cd packages/example && bun run dev)

🤖 Generated with Claude Code

Replace the css-loader npm dependency with a stripped-down fork that only includes what Remotion actually uses (url and import handling). Removes 8 transitive dependencies including CSS Modules and ICSS support which were never used. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

vercel · 2026-03-20T09:12:42Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
bugs	Ready	Preview, Comment	Mar 20, 2026 10:02am
remotion	Ready	Preview, Comment	Mar 20, 2026 10:02am

pullfrog

Review: `@remotion/bundler`: Fork and inline css-loader

Critical: Missing variable declaration in `index.js`

There's a ReferenceError bug in packages/bundler/css-loader/index.js:55 — plugins is assigned without being declared:

// Line 55 - missing 'const'
plugins = [
  importParser({ ... }),
];

// Should be:
const plugins = [
  importParser({ ... }),
];

This will cause the loader to crash at runtime when processing CSS files. All 5 bundler tests may have passed because they might not exercise the import plugin path, or the error surfaces only during actual CSS bundling.

Other observations

Fork is well-scoped: removes CSS Modules, ICSS, schema-utils, and semver checks as advertised
MIT license attribution preserved from original css-loader v5.2.7
Runtime files (api.js, getUrl.js, cssWithMappingToString.js) look clean
No other obvious runtime issues found

Recommendation

Fix the missing const declaration and re-run the bundler tests before merging.

^{｜ Fix all ➔ ｜ Fix 👍s ➔ ｜ View workflow run ｜ pullfrog.com ｜ 𝕏}

packages/bundler/css-loader/index.js

pullfrog · 2026-03-20T09:17:08Z

Fixed the missing const keyword in packages/bundler/css-loader/index.js:55. The original css-loader v5.2.7 source does have const plugins = []; - the PR was missing this declaration. The fix has been pushed to the branch.

^{｜ View workflow run ｜ Triggered by Pullfrog ｜ pullfrog.com ｜ 𝕏}

…ckages Add `@remotion/bundler/css-loader` export so other packages can use the inlined fork instead of depending on css-loader directly. Update @remotion/tailwind and @remotion/tailwind-v4 to use it. Add CssLoaderTest composition to packages/example. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

vercel bot deployed to Preview – bugs March 20, 2026 09:13 View deployment

JonnyBurger changed the title ~~@remotion/bundler: Fork and inline css-loader~~ @remotion/bundler: Fork and inline css-loader, resolving security vulnerability Mar 20, 2026

vercel bot deployed to Preview – remotion March 20, 2026 09:14 View deployment

pullfrog bot reviewed Mar 20, 2026

View reviewed changes

packages/bundler/css-loader/index.js Outdated Show resolved Hide resolved

fix: add missing const

6ba1734

vercel bot deployed to Preview – bugs March 20, 2026 09:24 View deployment

vercel bot deployed to Preview – remotion March 20, 2026 09:25 View deployment

vercel bot deployed to Preview – bugs March 20, 2026 10:01 View deployment

vercel bot deployed to Preview – remotion March 20, 2026 10:02 View deployment

JonnyBurger merged commit 470da37 into main Mar 20, 2026
18 checks passed

JonnyBurger deleted the fork-inline-css-loader branch March 20, 2026 10:19

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

`@remotion/bundler`: Fork and inline css-loader, resolving security vulnerability#6883

`@remotion/bundler`: Fork and inline css-loader, resolving security vulnerability#6883
JonnyBurger merged 3 commits intomainfrom
fork-inline-css-loader

JonnyBurger commented Mar 20, 2026

Uh oh!

vercel bot commented Mar 20, 2026 •

edited

Loading

Uh oh!

pullfrog bot left a comment

Uh oh!

Uh oh!

pullfrog bot commented Mar 20, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

JonnyBurger commented Mar 20, 2026

Summary

Test plan

Uh oh!

vercel bot commented Mar 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

pullfrog bot left a comment

Choose a reason for hiding this comment

Review: @remotion/bundler: Fork and inline css-loader

Critical: Missing variable declaration in index.js

Other observations

Recommendation

Uh oh!

Uh oh!

pullfrog bot commented Mar 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

vercel bot commented Mar 20, 2026 •

edited

Loading

Review: `@remotion/bundler`: Fork and inline css-loader

Critical: Missing variable declaration in `index.js`

pullfrog bot commented Mar 20, 2026 •

edited

Loading