Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency postcss to v8 [SECURITY] #52

Merged
merged 1 commit into from
May 14, 2021
Merged

Update dependency postcss to v8 [SECURITY] #52

merged 1 commit into from
May 14, 2021

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 14, 2021

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
postcss (source) ^7 -> ^8.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-23368

The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Release Notes

postcss/postcss

v8.2.10

Compare Source

  • Fixed ReDoS vulnerabilities in source map parsing.
  • Fixed webpack 5 support (by Barak Igal).
  • Fixed docs (by Roeland Moors).

v8.2.9

Compare Source

  • Exported NodeErrorOptions type (by Rouven Weßling).

v8.2.8

Compare Source

  • Fixed browser builds in webpack 4 (by Matt Jones).

v8.2.7

Compare Source

  • Fixed browser builds in webpack 5 (by Matt Jones).

v8.2.6

Compare Source

  • Fixed Maximum call stack size exceeded in Node#toJSON.
  • Fixed docs (by inokawa).

v8.2.5

Compare Source

  • Fixed escaped characters handling in list.split (by Natalie Weizenbaum).

v8.2.4

Compare Source

  • Added plugin name to postcss.plugin() warning (by Tom Williams).
  • Fixed docs (by Bill Columbia).

v8.2.3

Compare Source

  • Fixed JSON.stringify(Node[]) support (by Niklas Mischkulnig).

v8.2.2

Compare Source

  • Fixed CSS-in-JS support (by James Garbutt).
  • Fixed plugin types (by Ludovico Fischer).
  • Fixed Result#warn() types.

v8.2.1

Compare Source

v8.2.0

Compare Source

Prince Orobas seal

PostCSS 8.2 added a new API to serialize and deserialize CSS AST to JSON.

import { parse, fromJSON } from 'postcss'

let root = parse('a{}', { from: 'input.css' })
let json = root.toJSON()
// save to file, send by network, etc
let root2 = fromJSON(json)

Thanks to @​mischnic for his work.

v8.1.14

Compare Source

  • Fixed parser performance regression.

v8.1.13

Compare Source

  • Fixed broken AST after moving nodes in visitor API.

v8.1.12

Compare Source

  • Fixed Autoprefixer regression.

v8.1.11

Compare Source

  • Added PostCSS update suggestion on unknown event in plugin.

v8.1.10

Compare Source

  • Fixed LazyResult type export (by Evan You).
  • Fixed LazyResult type compatibility with Promise (by Anton Kastritskiy).

v8.1.9

Compare Source

  • Reduced dependencies number (by Bogdan Chadkin).

v8.1.8

Compare Source

  • Fixed LazyResult type compatibility with Promise (by Ludovico Fischer).
  • Fixed HTTPS links in documentation.

v8.1.7

Compare Source

  • Fixed import support in TypeScript (by Remco Haszing).

v8.1.6

Compare Source

  • Reverted package.exports Node.js 15 fix.

v8.1.5

Compare Source

  • Fixed Node.js 15 warning (by 沈鸿飞).

v8.1.4

Compare Source

  • Fixed TypeScript definition (by Arthur Petrie).

v8.1.3

Compare Source

  • Added package.types.

v8.1.2

Compare Source

  • Fixed API docs (by Arthur Petrie).
  • Improved plugin guide (by Yunus Gaziev).
  • Prepared code base for Deno support (by Oscar Otero).

v8.1.1

Compare Source

  • Fixed parser performance regression.

v8.1.0

Compare Source

Duke Gemory seal

PostCSS 8.1 fixed the new visitor API from the 8.0 release.

We fixed Root and RootExit re-calling on children's changes. And now visitors will visit the parent again if nested children were changed.

We added Once and OnceExit events, which will not be called again on node changes. You can use them to lint files or collect statistics:

module.exports = {
  postcssPlugin: 'postcss-linter',
  OnceExit (root) {
    lint(root)
  }
}
module.exports.postcss = true

We updated Migration guide according to new changes.

v8.0.9

Compare Source

  • Replace prototype in PostCSS 7 nodes instead of recreating them.
  • Added missed Transformer to exported types (by Pierre-Marie Dartus).

v8.0.8

Compare Source

  • Fix 8.0.7 regression on PostCSS 7 nodes converting (by Adam Wathan).

v8.0.7

Compare Source

  • Fixed compatibility issue with mixin AST with PostCSS 7 and 8 nodes.
  • Added migration guide translation to Chinese to the warning.

v8.0.6

Compare Source

  • Fixed child adding methods in Container.

v8.0.5

Compare Source

  • Update changelog.

v8.0.4

Compare Source

  • Fixed Cannot read property 'line' of null error.
  • Fixed source map support for declarations.

v8.0.3

Compare Source

  • Fixed client-side bundling support.

v8.0.2

Compare Source

  • Fixed plugin packs support.

v8.0.1

Compare Source

  • Updated Processor#version.

v8.0.0

Compare Source

President Ose seal

PostCSS 8.0 brings new plugin API, node_modules size reduction, better source map support, and CSS parser improvements.

Check out a day-by-day diary of PostCSS 8.0 development process.

See Migration Guides for end-users and for plugin developers.

Thanks to Sponsors

With more than 100 M downloads per month, it becomes hard to support PostCSS in free time. For instance, getting the 8.0 release ready took 4 months of work.

This release was possible thanks to out community. Tailwind CSS, De Voorhoede, InVision AG, Brainbow, and many individual contributions.

Sponsored by Tailwind CSS

If your company wants to support the sustainability of front-end infrastructure or just wants to give some love to PostCSS, you can join our supporters by:

Breaking Changes

We try to avoid any breaking changes for end-users:

  • PostCSS 8 dropped Node.js 6.x, 8.x, 11.x, and 13.x versions support. All these versions have no security updates anymore.
  • We now serve ES6+ sources in the npm package without Babel compilation. If you are creating tools like CodePen and put PostCSS into the client-side JS bundle, you may need to run Babel on node_modules/postcss for old browsers.
  • We removed rarely used postcss.vendor API.

New Plugin API

The biggest change in PostCSS 8 is a new plugin API. Thanks to @​BondarenkoAlex for big help in creating a new API.

module.exports = () => {
  return {
    postcssPlugin: 'postcss-will-change',
    Declaration: {
      'will-change': (decl, { Declaration }) => {
        decl.cloneBefore(
          new Declaration({ prop: 'backface-visibility', value: 'hidden' })
        )
      }
    }
  }
}
module.exports.postcss = true

We know that rewriting old plugins will take time, but the new API will improve the end-user’s experience and make life easier for plugin developers:

  • With new API, all plugins can share a single scan of the CSS tree. It makes CSS processing up to 20% faster.
  • Because npm often duplicates dependencies, you may have many postcss duplicates in your node_modules. New API fixes this problem.
  • Plugins will re-visit changed nodes to reduce compatibility issues between plugins. Now the order of plugins in your PostCSS config will be less important.
  • New API is close to Babel’s visitor API.

These resources will help plugin developers in API migration:

PostCSS development guidelines were also changed:

  • Now it is prohibited to create own AST on top of PostCSS AST classes since it could lead to painful bugs due to the usage private APIs.
  • Plugins and runners must have postcss in peerDependencies.

New Website without React

Previously PostCSS used a React-based framework for the project's website. Since we have a static website, we decided to migrate to a React-free framework and got good performance improvements:

  • 360 → 20 ms for Max Potential First Input Delay
  • 3.3 → 1.5 seconds for First CPU Idle
  • 3.3 → 1.5 seconds for Time to Interactive

Check out postcss.org and new API docs that feature the awesome alchemy-inspired design by @​okonet.

PostCSS website performance results

We also removed Google Analytics tracking scripts and encourage other open source projects to be an example in caring about user’s privacy and performance.

Parser Improvments

Did you know that all examples below are valid CSS?

:root {
  --empty: ;
  --JSON: [1, "2", {"three": {"a":1}}, [4]];
  --javascript: function(rule) { console.log(rule) };
}

@​supports (--element(".minwidth", { "minWidth": 300 })) {
  [--self] {
    background: greenyellow;
  }
}

Now PostCSS parses even those rare edge cases correctly. Thanks to Tailwind CSS and Prettier teams for adding more cases to our CSS parser tests collection.

Note that now --roundMixin: { border-radius: 8px } will be parsed as a Declaration with the { border-radius: 8px } value.

Better Source Map Support

We have added support for two new source map formats: Index map and JSON (data:application/json).

PostCSS 8 is now much closer to the source map spec. Thanks to the Google team for reports:

  • We now treat sources in map as URLs instead of file paths.
  • We now resolve sources relative to map file, not CSS file.

A few source map APIs were added:

  • opts.maps.absolute = true option for absolute paths in source map.
  • opts.maps.annotation = (file, root) => url for a dynamic path to source map.
  • Node#origin() now returns position.url in addition to position.file for compatibility with absolute URLs in source map’s sources.

API Changes

We have added ES modules support and now we export all classes from the main entry:

import { CssSyntaxError, parse } from "postcss"

@​graberzz added Node#source.offset in addition to line and column.

CSS Custom Properties and Sass-like $-variables now have a special Declaration#variable mark:

const root = parse(`
  :root {
    --propery: value;
  }
  $variable: value
`)

root.first.first.variable //=> true
root.last.variable //=> true

TypeScript

PostCSS now has a first-class TypeScript support:

  • We moved API docs from JSDoc to TypeDoc. Check out our new API docs.
  • We are using check-dts to test types with special unit tests.
  • We keep types in separate files for better readability.
  • With the new structure and test system, we fixed many small issues in types.

Other Changes

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot requested a review from mbround18 as a code owner May 14, 2021 19:56
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch from 5969116 to f5edb74 Compare May 14, 2021 22:01
@mbround18 mbround18 enabled auto-merge (squash) May 14, 2021 22:05
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch from f5edb74 to 99e5323 Compare May 14, 2021 22:20
@renovate renovate bot force-pushed the renovate/npm-postcss-vulnerability branch from 99e5323 to b6ac3ac Compare May 14, 2021 22:29
@mbround18 mbround18 merged commit 5f2efae into main May 14, 2021
@mbround18 mbround18 deleted the renovate/npm-postcss-vulnerability branch May 14, 2021 22:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mbround18 mbround18 Awaiting requested review from mbround18 mbround18 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mbround18 @renovate-bot