PostCSS version 7.0.39 represents a subtle but potentially impactful update to this popular tool for transforming styles with JavaScript plugins. Comparing it to the prior stable release, version 7.0.38, reveals a key difference in its dependencies: 7.0.39 utilizes picocolors at version ^0.2.1, while 7.0.38 relied on nanocolors at version ^0.2.2. This shift in color libraries suggests a possible change in how PostCSS handles color output, potentially influencing the appearance of messages within build processes or custom plugins leveraging color formatting. Although both versions share the core functionality described as "Tool for transforming styles with JS plugins" and the same license, author, funding and repository information, the alteration can affect developers. From a developer perspective, although the core functionality remains the same, this dependency change could impact the bundle size, the specific color output in the console, or introduce subtle differences in how color-related tasks are handled within plugins. In addition to this, version 7.0.39 has smaller package size. Depending on the build environment and project setup, developers might need to adjust their configurations or plugin integrations to ensure compatibility. The updated release was published on October 4, 2021, a shorter time after the previous version from September 25.
All the vulnerabilities related to the version 7.0.39 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
