USWDS-Site - Snyk: Add postcss override to package.json

[amyleadem]

Summary

Added an override for postcss in the package.json file to prevent a snyk error.

Note
This override should be removed once the vulnerability can be resolved in @uswds/compile v1.1.0

Problem statement

Running npx snyk test results in the following errror:

Issues with no direct upgrade or patch:
  ✗ Improper Input Validation [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-POSTCSS-5926692] in postcss@8.4.19
    introduced by @uswds/compile@1.0.0 > gulp-sourcemaps@3.0.0 > @gulp-sourcemaps/identity-map@2.0.1 > postcss@7.0.39 and 1 other path(s)
  This issue was fixed in versions: 8.4.31

This is a vulnerability related to a subdependency of gulp-sourcemaps, which has has not been updated for 3 years. Because of the dependency's slow update cycle, it is unlikely that this vulnerability will be resolved by gulp-sourcemaps.

Solution

Creating a temporary override for this sub-dependency will resolve the snyk error while we wait for an update to uswds/compile.

Alternatively, we could update the snyk ignore, but that would require periodic updates every 30 days and would not resolve the vulnerability.

Testing and review

1. Confirm that there are no snyk errors related to postcss
2. Confirm that creating an override is the best method for resolving this error

[amyleadem]

Thinking it would be helpful to have a comment about this override directly in the package.json file. There is not a standard method for adding comments to a json file, but it is possible if we serve the comment as a data field. Is this anything we are interested in exploring? I feel like it would be easier to add a comment here rather than digging through GitHub or relying on memory to understand why the override is there and what to do with it. Curious what you all think!

Suggested change

	},
	},
	"@overridesComments": {
	"postcss": "This override should be removed once the related snyk error is resolved in @uswds/compile v1.1.0"
	},

[thisisdano]

I think this could make sense

[mejiaj]

I like the idea of adding comments close to the code so we don't forget. A new data field might not be necessary if we reference github issues in these types of commits.

My proposal

1. Create issue for updating and removing override.
2. Schedule issue two sprints out.
3. Add override and reference new issue in git commit message. Provides a nice reference in git blame.

Git commit message

- Add postcss override
+ Temporary postcss override. Remove with #ISSUE_NO

Mockup

You can see in the screenshot below. There's a line via git blame (light gray) and on hover we'll get a link to the issue.

[amyleadem]

Note
I tried to reference a value of $postcss as described in the npmjs overrides docs, but could not get it to recognize the reference. Not sure why it isn't working.

This reference would be useful because the override must match the declared dependency version exactly, and using a reference would mean that whatever is declared in devDependencies is the correct version. However, it should be ok to move forward without the reference, we just need to make sure to update the override version whenever we update the postcss devDependency.

    "postcss": "$postcss"

[mejiaj]

Nice fix. No issues found on install.

[mahoneycm]

Installs correctly and contains 0 vulnerabilities 👍