Upgrade lilconfig version to enable ESM support#14029
Closed
thibautsabot wants to merge 1 commit intotailwindlabs:mainfrom
Closed
Upgrade lilconfig version to enable ESM support#14029thibautsabot wants to merge 1 commit intotailwindlabs:mainfrom
thibautsabot wants to merge 1 commit intotailwindlabs:mainfrom
Conversation
|
Can I bring this Pull Request up the stack again? |
|
Also, upgrading this, would resolve: "Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function." |
|
Can we please get this merged? This resolves an error with my project as reported here shellscape/jsx-email#257 |
This was referenced Dec 3, 2024
|
@thibautsabot lilconfig@3.1.3 was just released today that contains an important fix for windows absolute paths. |
thecrypticace
added a commit
that referenced
this pull request
Dec 3, 2024
This PR updates `lilconfig` from v2.1.0 to v3.1.3. Significant improvements to this package include Windows absolute path support as well as ESM config files support. This supersedes #14029 which has fallen behind and has conflicts with the upstream branch. This is a critical update for Next.js apps running in development which have dependencies on packages that use an updated version of `lilconfig`. I understand that v4 will not be using `lilconfig` but it's an important update for users on v3.x in the meantime. --------- Co-authored-by: Jordan Pittman <jordan@cryptica.me>
Contributor
|
Closing in favor of #15289 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR #12455 was merged last year by a lilconfig maintainer.
However, looking at the merge commit here, only the
package-lock.jsonfile was changed, thepackage.jsondidn't make it through.Upgrading to lilconfig v3 allows user to use ESM for importing postcss configs.
(For example, when using
"type": "module"inpackage.json)On this branch, I used the latest version (which includes security patches), alongside a small bump to
postcss-load-config.