Clean-css, a popular and well-tested CSS minifier, saw a new stable release with version 4.0.5 following closely on the heels of version 4.0.4. Both versions, licensed under the MIT license, maintain the same core functionality, dependencies, and development dependencies, ensuring a consistent experience for developers upgrading between them. Key dependencies like source-map remain at version 0.5.x, crucial for debugging minified CSS, while development tools such as browserify, http-proxy, jshint, nock, server-destroy, uglify-js, and vows stay consistent across both versions.
The primary difference lies in the release dates. Version 4.0.5 was released on February 7, 2017, whereas version 4.0.4 was released on February 4, 2017. Although seemingly minor, this suggests that version 4.0.5 potentially addresses bug fixes or very minor enhancements identified in the short period following the 4.0.4 release. Given the incredibly tight release window, developers using clean-css should strongly consider upgrading to version 4.0.5 to benefit from these improvements, ensuring they are running the most up-to-date stable release. The clean-css package, authored by Jakub Pawlowicz, continues its commitment to providing an efficient and reliable CSS minification solution for web projects. Developers can find the source code and contribute via the GitHub repository. Both versions can be easily installed via npm, providing a seamless integration into existing build processes.
All the vulnerabilities related to the version 4.0.5 of the package
Regular Expression Denial of Service in clean-css
Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Upgrade to version 4.1.11 or higher.
