PostCSS version 7.0.37 represents a refinement over its predecessor, 7.0.36, in the ongoing evolution of this powerful tool for transforming styles with JavaScript plugins. Both versions maintain the core functionality that developers rely on for modern CSS workflows, including parsing CSS, manipulating the AST, and generating output. A key difference lies in the dependency management. Version 7.0.37 replaces the chalk and supports-color dependencies, present in 7.0.36, with nanocolors. This is a significant change potentially impacting console output styling and color support, which might require developers to adjust their plugin configurations accordingly. The size of distribution also saw a slight increase, with unpacked size rising from 608026 bytes in version 7.0.36 to 608424 bytes in version 7.0.37. Developers should be aware of this change when evaluating the potential impact on project size. Overall, the update from 7.0.36 to 7.0.37 seems focused more on internal improvements, dependency updates, and potential adjustments to command line display rather than introducing groundbreaking new features for the core styling transformations.
All the vulnerabilities related to the version 7.0.37 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
