Autoprefixer version 9.7.5 represents a small but potentially impactful update over its predecessor, version 9.7.4. Both versions share the core functionality of parsing CSS and adding vendor prefixes based on Can I Use data, streamlining cross-browser compatibility for developers. A notable change lies within the dependencies. Version 9.7.5 upgrades postcss from 7.0.26 to 7.0.27, browserslist from 4.8.3 to 4.11.0, caniuse-lite from 1.0.30001020 to 1.0.30001036 and postcss-value-parser from 4.0.2 to 4.0.3. These updates generally bring bug fixes, performance improvements, and potentially expanded browser support through updated data from caniuse-lite. The change in browserslist is especially interesting, as it directly impacts how Autoprefixer determines which prefixes to apply based on specified browser targets. Developers should check the changelogs for these updated dependencies. Furthermore, the unpacked size of the package has increased from 340554 to 418720, indicating a potential increase in the size of the library, possibly due to the updated dependencies and features included. Finally, the release date difference indicates a significant update to the library, with version 9.7.5 being released significantly later, suggesting that it will include all of the previous bug fixes contained in the dependencies.
All the vulnerabilities related to the version 9.7.5 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
