Css-loader has released a new version, 3.5.1, succeeding version 3.5.0. Both versions are designed as css loader modules for webpack, enabling the import and use of CSS files within JavaScript modules in webpack projects. Examining the package metadata, the core dependencies remain consistent between the two versions, indicating no fundamental changes in how the loader handles CSS processing and integration. This includes dependencies like postcss for CSS transformations, loader-utils for webpack loader utilities, and icss-utils for composing CSS.
The primary distinction lies in the "dist" section, specifically the unpackedSize. Version 3.5.1 has an unpacked size of 90072 bytes, slightly larger than version 3.5.0's 89864 bytes. This suggests that the newer version includes minor enhancements, bug fixes, or possibly updated documentation, without adding significantly to the overall size. For developers, this increment might represent improved stability or performance in specific use cases, warranting an upgrade. Also the release date is one day apart, so the changes was really small and probably bugfixes Both releases maintain the same set of development dependencies, ensuring a consistent build and testing environment. Developers relying on css-loader can likely upgrade from 3.5.0 to 3.5.1 without encountering major compatibility issues, given the stability in core dependencies and peer dependencies (webpack 4 & 5), but as always is recommended to review changelogs and test their specific configurations.
All the vulnerabilities related to the version 3.5.1 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
