PostCSS Color Hex Alpha version 4.0.0 represents a notable upgrade from version 3.0.0, primarily focused on dependency updates to ensure compatibility with newer PostCSS environments and related tools. A key difference lies in the postcss dependency, which jumps from version ^6.0.1 in 3.0.0 to ^7.0.2 in 4.0.0. This is crucial for developers using recent PostCSS versions in their projects, as it guarantees proper integration and avoids potential conflicts. The color dependency also sees a significant update, moving from ^1.0.3 to ^3.0.0, bringing in the latest color manipulation capabilities and bug fixes from that library. For developer ergonomics, it's worth mentioning that postcss-message-helpers stays in the same major version. The devDependencies also reflect upgrades, with eslint moving to ^5.6.0 from ^3.19.0, potentially introducing stricter linting rules and highlighting code quality improvements. While the core functionality of transforming RGBA hexadecimal notations remains consistent across both versions, developers should strongly consider upgrading to 4.0.0 for enhanced compatibility, security and performance benefits derived from the updated dependencies.
All the vulnerabilities related to the version 4.0.0 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
