An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
More information
#### Details
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\r` discrepancies, as demonstrated by `@font-face{ font:(\r/*);}` in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N`
#### References
- [https://nvd.nist.gov/vuln/detail/CVE-2023-44270](https://nvd.nist.gov/vuln/detail/CVE-2023-44270)
- [https://github.com/github/advisory-database/issues/2820](https://togithub.com/github/advisory-database/issues/2820)
- [https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5](https://togithub.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5)
- [https://github.com/postcss/postcss](https://togithub.com/postcss/postcss)
- [https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25](https://togithub.com/postcss/postcss/blob/main/lib/tokenize.js#L25)
- [https://github.com/postcss/postcss/releases/tag/8.4.31](https://togithub.com/postcss/postcss/releases/tag/8.4.31)
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-7fh5-64p2-3v2j) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
This PR contains the following updates:
8.4.19
->8.4.31
GitHub Vulnerability Alerts
CVE-2023-44270
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be
\r
discrepancies, as demonstrated by@font-face{ font:(\r/*);}
in a rule.This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
PostCSS line return parsing error
CVE-2023-44270 / GHSA-7fh5-64p2-3v2j
More information
#### Details An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\r` discrepancies, as demonstrated by `@font-face{ font:(\r/*);}` in a rule. This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2023-44270](https://nvd.nist.gov/vuln/detail/CVE-2023-44270) - [https://github.com/github/advisory-database/issues/2820](https://togithub.com/github/advisory-database/issues/2820) - [https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5](https://togithub.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5) - [https://github.com/postcss/postcss](https://togithub.com/postcss/postcss) - [https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25](https://togithub.com/postcss/postcss/blob/main/lib/tokenize.js#L25) - [https://github.com/postcss/postcss/releases/tag/8.4.31](https://togithub.com/postcss/postcss/releases/tag/8.4.31) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-7fh5-64p2-3v2j) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
postcss/postcss (postcss)
### [`v8.4.31`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8431) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.30...8.4.31) - Fixed `\r` parsing to fix CVE-2023-44270. ### [`v8.4.30`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8430) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.29...8.4.30) - Improved source map performance (by Romain Menke). ### [`v8.4.29`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8429) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.28...8.4.29) - Fixed `Node#source.offset` (by Ido Rosenthal). - Fixed docs (by Christian Oliff). ### [`v8.4.28`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8428) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.27...8.4.28) - Fixed `Root.source.end` for better source map (by Romain Menke). - Fixed `Result.root` types when `process()` has no parser. ### [`v8.4.27`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8427) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.26...8.4.27) - Fixed `Container` clone methods types. ### [`v8.4.26`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8426) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.25...8.4.26) - Fixed clone methods types. ### [`v8.4.25`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8425) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.24...8.4.25) - Improve stringify performance (by Romain Menke). - Fixed docs (by [@vikaskaliramna07](https://togithub.com/vikaskaliramna07)). ### [`v8.4.24`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8424) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.23...8.4.24) - Fixed `Plugin` types. ### [`v8.4.23`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8423) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.22...8.4.23) - Fixed warnings in TypeDoc. ### [`v8.4.22`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8422) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.21...8.4.22) - Fixed TypeScript support with `node16` (by Remco Haszing). ### [`v8.4.21`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8421) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.20...8.4.21) - Fixed `Input#error` types (by Aleks Hudochenkov). ### [`v8.4.20`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8420) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.19...8.4.20) - Fixed source map generation for childless at-rules like `@layer`.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.