Autoprefixer versions 9.0.0 and 9.0.1 are both iterations of a popular tool that automatically adds vendor prefixes to CSS rules, enhancing cross-browser compatibility based on data from Can I Use. While both versions share the same core functionality and maintain key dependencies like postcss, browserslist, and caniuse-lite, a closer look reveals subtle but potentially impactful differences.
The dependencies block provides a look at what is being used by this library. Both the versions have the same dependencies, including postcss, browserslist, caniuse-lite, num2fraction, normalize-range and postcss-value-parser.
The key difference lies in the dist object and the release date. Version 9.0.1, released on July 21, 2018, has a slightly larger unpacked size (311604) compared to version 9.0.0 (311370), which was released on July 16, 2018. This suggests that version 9.0.1 incorporates minor bug fixes, performance improvements, or perhaps updated data within the caniuse-lite dependency that influence the final build size.
For developers, while the core functionality remains consistent, upgrading to 9.0.1 is recommended to leverage any potential improvements and ensure stability. It's a minor update, therefore it should be seamless.
All the vulnerabilities related to the version 9.0.1 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
