Clean-css, a popular and well-regarded CSS minifier, underwent a minor version update from 4.0.2 to 4.0.3 in late January 2017. Both versions share identical functionalities at their core, offering robust CSS minification capabilities. Developers leveraging clean-css can expect consistent performance and feature sets between these two releases, making the upgrade a seamless transition.
Examining the package metadata reveals a few key differences. While the dependencies and devDependencies remain unchanged, indicating no alterations to the core minification engine or testing framework, the releaseDate field signifies that version 4.0.3 was published on January 30, 2017, whereas version 4.0.2 came out on January 26, 2017. This short interval between releases suggests that 4.0.3 likely constitutes a patch release.
Potential improvements in version 4.0.3 may include bug fixes, performance enhancements, or minor tweaks that didn't warrant a major or minor version bump. For developers, upgrading to the latest patch is generally recommended to benefit from the newest refinements. Furthermore, both versions are open-source under the MIT license and openly available through the indicated git and tarball urls, offering freedom and transparency. If you are using a version before 4.0.2, upgrading to either version will allow to benefit from the library.
All the vulnerabilities related to the version 4.0.3 of the package
Regular Expression Denial of Service in clean-css
Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Upgrade to version 4.1.11 or higher.
