Description
DAM specifies "postcss-loader": "^4.3.0" in https://github.com/ibexa/dam/blob/7907aa9174d0c6d9231476c2bf08cc131d3cbb7a/package.json#L16
There is a known vulnerability in postcss versions below 8.4.31 (postcss itself, not -loader). The newest version that can be installed is 7.0.36 due to other dependencies:
@symfony/webpack-encore@1.8.2 requires postcss@7.0.36 via a transitive dependency on resolve-url-loader@3.1.5
https://github.com/ibexa/dam/security/dependabot/1
We should resolve the dependency chain issues so we can get an updated postcss. It seems we need to bump webpack-encore to at least v2, to avoid the hardcoded postcss version in resolve-url-loader.
There are no known or suspected ways to exploit this in the DXP, hence making it public.