minify: upgrade clean-css 3.4.19 -> 4.2.3. Adapt to the semver major change

CleanCSS 3.4.19 had a Regex Denial of Service vulnerability and has to be updated. The major version bump requires the following changes: 1. Disabling rebase is necessary because otherwise the URLs for the web fonts become wrong; EXAMPLE 1: /static/css/src/static/font/fontawesome-etherpad.woff instead of /static/font/fontawesome-etherpad.woff EXAMPLE 2 (this is more surprising): /p/src/static/font/opendyslexic.otf instead of /static/font/opendyslexic.otf 2. CleanCSS.minify() can either receive a string containing the CSS, or an array of strings. In that case each array element is interpreted as an absolute local path from which the CSS file is read. In version 4.x, CleanCSS API was simplified, eliminating the relativeTo parameter, and thus we cannot use our already loaded "content" argument, but we have to wrap the absolute path to the CSS in an array and ask the library to read it by itself. Fixes #3616.
2025-01-19 14:13:34 +01:00 · 2020-03-22 00:33:22 +01:00 · 2020-03-22 00:33:22 +01:00 · ca35488273
commit ca35488273
parent 2c44a0f71e
3 changed files with 38 additions and 42 deletions
--- a/src/node/utils/Minify.js
+++ b/src/node/utils/Minify.js
@ -414,11 +414,36 @@ function compressJS(content)
 function compressCSS(filename, content, callback)
 {
  try {
-    var base = path.join(ROOT_DIR, path.dirname(filename));
-    new CleanCSS({relativeTo: base}).minify(content, function (errors, minified) {
+    const absPath = path.join(ROOT_DIR, filename);
+
+    /*
+     * Changes done to migrate CleanCSS 3.x -> 4.x:
+     *
+     * 1. Disabling rebase is necessary because otherwise the URLs for the web
+     *    fonts become wrong.
+     *
+     *    EXAMPLE 1:
+     *        /static/css/src/static/font/fontawesome-etherpad.woff
+     *      instead of
+     *        /static/font/fontawesome-etherpad.woff
+     *    EXAMPLE 2 (this is more surprising):
+     *        /p/src/static/font/opendyslexic.otf
+     *      instead of
+     *        /static/font/opendyslexic.otf
+     *
+     * 2. CleanCSS.minify() can either receive a string containing the CSS, or
+     *    an array of strings. In that case each array element is interpreted as
+     *    an absolute local path from which the CSS file is read.
+     *
+     *    In version 4.x, CleanCSS API was simplified, eliminating the
+     *    relativeTo parameter, and thus we cannot use our already loaded
+     *    "content" argument, but we have to wrap the absolute path to the CSS
+     *    in an array and ask the library to read it by itself.
+     */
+    new CleanCSS({rebase: false}).minify([absPath], function (errors, minified) {
      if (errors) {
        // on error, just yield the un-minified original, but write a log message
-        console.error(`CleanCSS.minify() returned an error on ${filename} (base CSS path: ${base}): ${errors}`);
+        console.error(`CleanCSS.minify() returned an error on ${filename} (${absPath}): ${errors}`);
        callback(null, content);
      } else {
        callback(null, minified.styles);
@ -426,7 +451,7 @@ function compressCSS(filename, content, callback)
    });
  } catch (error) {
    // on error, just yield the un-minified original, but write a log message
-    console.error(`Unexpected error minifying ${filename} (base CSS path: ${base}): ${error}`);
+    console.error(`Unexpected error minifying ${filename} (${absPath}): ${error}`);
    callback(null, content);
  }
 }
--- a/src/package-lock.json
+++ b/src/package-lock.json
@ -236,11 +236,6 @@
        "repeat-string": "^1.5.2"
      }
    },
-    "amdefine": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/amdefine/-/amdefine-1.0.1.tgz",
-      "integrity": "sha1-SlKCrBZHKek2Gbz9OtFR+BfOkfU="
-    },
    "ansi-regex": {
      "version": "2.1.1",
      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz",
@ -712,22 +707,11 @@
      }
    },
    "clean-css": {
-      "version": "3.4.19",
-      "resolved": "https://registry.npmjs.org/clean-css/-/clean-css-3.4.19.tgz",
-      "integrity": "sha1-wyqKE8o7gkYJsUMGpdp22Hk8eHQ=",
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/clean-css/-/clean-css-4.2.3.tgz",
+      "integrity": "sha512-VcMWDN54ZN/DS+g58HYL5/n4Zrqe8vHJpGA8KdgUXFU4fuP/aHNw8eld9SyEIyabIMJX/0RaY/fplOo5hYLSFA==",
      "requires": {
-        "commander": "2.8.x",
-        "source-map": "0.4.x"
-      },
-      "dependencies": {
-        "source-map": {
-          "version": "0.4.4",
-          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.4.4.tgz",
-          "integrity": "sha1-66T12pwNyZneaAMti092FzZSA2s=",
-          "requires": {
-            "amdefine": ">=0.0.4"
-          }
-        }
+        "source-map": "~0.6.0"
      }
    },
    "cliui": {
@ -789,12 +773,10 @@
      }
    },
    "commander": {
-      "version": "2.8.1",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-2.8.1.tgz",
-      "integrity": "sha1-Br42f+v9oMMwqh4qBy09yXYkJdQ=",
-      "requires": {
-        "graceful-readlink": ">= 1.0.0"
-      }
+      "version": "2.15.1",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-2.15.1.tgz",
+      "integrity": "sha512-VlfT9F3V0v+jr4yxPc5gg9s62/fIVWsd2Bk2iD435um1NlGMYdVCq+MjcXnhYq2icNOizHr1kK+5TI6H0Hy0ag==",
+      "dev": true
    },
    "commondir": {
      "version": "1.0.1",
@ -1614,11 +1596,6 @@
      "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.2.tgz",
      "integrity": "sha512-IItsdsea19BoLC7ELy13q1iJFNmd7ofZH5+X/pJr90/nRoPEX0DJo1dHDbgtYWOhJhcCgMDTOw84RZ72q6lB+Q=="
    },
-    "graceful-readlink": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/graceful-readlink/-/graceful-readlink-1.0.1.tgz",
-      "integrity": "sha1-TK+tdrxi8C+gObL5Tpo906ORpyU="
-    },
    "growl": {
      "version": "1.10.5",
      "resolved": "https://registry.npmjs.org/growl/-/growl-1.10.5.tgz",
@ -2388,12 +2365,6 @@
        "supports-color": "5.4.0"
      },
      "dependencies": {
-        "commander": {
-          "version": "2.15.1",
-          "resolved": "https://registry.npmjs.org/commander/-/commander-2.15.1.tgz",
-          "integrity": "sha512-VlfT9F3V0v+jr4yxPc5gg9s62/fIVWsd2Bk2iD435um1NlGMYdVCq+MjcXnhYq2icNOizHr1kK+5TI6H0Hy0ag==",
-          "dev": true
-        },
        "debug": {
          "version": "3.1.0",
          "resolved": "https://registry.npmjs.org/debug/-/debug-3.1.0.tgz",
--- a/src/package.json
+++ b/src/package.json
@ -34,7 +34,7 @@
    "async-stacktrace": "0.0.2",
    "channels": "0.0.4",
    "cheerio": "0.20.0",
-    "clean-css": "3.4.19",
+    "clean-css": "4.2.3",
    "cookie-parser": "1.4.4",
    "ejs": "2.6.1",
    "etherpad-require-kernel": "1.0.9",