Css-loader has released version 3.3.2, a minor update from the previous stable version 3.3.1. Both versions are designed to enable webpack to handle CSS files, allowing developers to import CSS directly into their JavaScript modules. Examining the metadata, the core functionalities and dependencies remain largely consistent between the two versions. Both rely on essential packages like postcss for CSS processing, loader-utils for webpack loader utilities, and schema-utils for options validation. The development dependencies, used for testing and building the package, are also identical, suggesting a focus on maintaining existing functionality and code quality.
While the direct code-level changes aren't apparent from this metadata alone, the slight difference in unpackedSize (82785 vs 83109) indicates potential minor adjustments in the codebase, likely bug fixes, performance tweaks, or documentation improvements. The release date difference, just a couple of hours apart, points to a quick follow-up release, possibly addressing an immediate issue found in 3.3.1. For developers, upgrading from 3.3.1 to 3.3.2 should be a safe and straightforward process. However, it’s wise to review the changelog (typically available on the css-loader GitHub repository) for specific details on bug fixes or enhancements that might impact their projects. Both versions maintain the peer dependency on webpack 4, ensuring compatibility with existing webpack-based projects.
All the vulnerabilities related to the version 3.3.2 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
