Autoprefixer is a powerful PostCSS plugin that automatically adds vendor prefixes to CSS rules, ensuring cross-browser compatibility based on data from the Can I Use website. Versions 9.1.1 and 9.1.2 are both relatively recent releases within the Autoprefixer 9.x series, built upon PostCSS 7.0.2 and leveraging Browserslist for target browser specification. The primary difference between these two versions lies in their caniuse-lite dependency. Version 9.1.2 updates this dependency to ^1.0.30000877 from ^1.0.30000876 in version 9.1.1. This seemingly small change signifies an updated dataset from Can I Use, meaning version 9.1.2 has the latest information on browser support for various CSS features. For developers, this translates to more accurate prefixing and improved compatibility with a wider range of browsers, particularly newer browser versions and emerging CSS properties. Furthermore, the unpacked size increased very slightly from 324179 to 324248 bytes, probably indicating the addition of new data. The release dates, occurring within a week of each other, suggest that version 9.1.2 likely addresses bugs or incorporates updated browser support definitions identified shortly after the release of version 9.1.1, so the upgrade can be desired to keep updated also with the browser versions.
All the vulnerabilities related to the version 9.1.2 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
