PostCSS version 8.3.10 is a minor update to the popular tool for transforming styles with JavaScript plugins. Released on October 20, 2021, approximately two weeks after version 8.3.9, this iteration primarily focuses on dependency updates. The most notable change for developers is the update to the nanoid dependency, bumping it from version 3.1.28 to 3.1.30. While seemingly small, updates to nanoid, a popular and secure unique string ID generator, often involve security patches and performance improvements, ensuring the continued safe and efficient generation of unique identifiers within PostCSS and its plugins. Picocolors was also updated from version 0.2.1 to the new major version 1.0.0.
Developers using PostCSS directly, or through any of its numerous plugins, should be aware of these dependency upgrades. While the core functionality of PostCSS remains unchanged, these updates provide increased stability, security, and potentially even performance enhancements related to unique ID generation and string manipulation. The small change in unpacked size (172663 from 172714) hints at internal optimizations. The upgrade is recommended for all users of PostCSS to benefit from the latest improvements in its underlying dependencies and ensure a reliable experience with this critical tool for CSS processing and transformation.
All the vulnerabilities related to the version 8.3.10 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
