Snyk has published advisory SNYK-JS-POSTCSSSELECTORPARSER-16873882 (CVE-2026-9358, medium severity) describing an uncontrolled-recursion flaw in the toString function of the AST serializer. The advisory marks all versions as affected and notes there is no fixed version available.
This is impacting downstream consumers (e.g. eslint-plugin-vue users) who currently have no remediation path other than ignoring the finding in their security tooling. Is there a planned patch release that adds a recursion-depth limit or otherwise mitigates this in toString?
Snyk has published advisory SNYK-JS-POSTCSSSELECTORPARSER-16873882 (CVE-2026-9358, medium severity) describing an uncontrolled-recursion flaw in the toString function of the AST serializer. The advisory marks all versions as affected and notes there is no fixed version available.
This is impacting downstream consumers (e.g. eslint-plugin-vue users) who currently have no remediation path other than ignoring the finding in their security tooling. Is there a planned patch release that adds a recursion-depth limit or otherwise mitigates this in toString?