CSS-loader version 3.4.2 represents a minor update over its predecessor, version 3.4.1, offering incremental improvements and bug fixes for developers utilizing webpack to manage CSS assets. Both versions share the same core dependencies, ensuring a consistent foundation for CSS processing, including packages like camelcase, cssesc, postcss, postcss-modules-*, and schema-utils. These dependencies handle tasks such as CSS escaping, managing CSS Modules, and validating configurations.
Key differences lie primarily in the development dependencies, reflecting updates to the tooling used in the development and testing of the css-loader itself. For instance, @babel/* packages see a bump from version 7.7.4 to 7.7.7, while @commitlint/cli jumps from 8.2.0 to 8.3.4. Similarly, eslint is updated from 6.7.1 to 6.8.0. These updates likely incorporate bug fixes, performance enhancements, or new features within those respective tools, contributing to a more robust development environment for the css-loader.
Furthermore, sass is upgraded from 1.23.7 to 1.24.4 and sass-loader from 8.0.0 to 8.0.1. Webpack also sees a minor version bump to 4.41.5 from 4.41.3. The update in sass and sass-loader might bring improved support for newer Sass features or address compatibility issues. The peer dependency on webpack remains consistent, supporting versions 4 and 5. Version 3.4.2 was released on January 10, 2020, a week after 3.4.1 which released on January 3, 2020. Developers should consider upgrading to version 3.4.2 to benefit from the refined development tooling, which indirectly contributes to the overall stability and reliability of the css-loader.
All the vulnerabilities related to the version 3.4.2 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
