PostCSS is a powerful tool used by developers to transform CSS with JavaScript plugins. Both version 8.3.1 and 8.3.2 offer the same core functionality, allowing for extended CSS capabilities and customization. The core dependencies remain consistent between these versions, with both relying on "nanoid" for generating unique IDs, "colorette" for colorful terminal output, and "source-map-js" for source map manipulation, ensuring comparable performance and feature sets.
The key difference between versions 8.3.1 and 8.3.2 lies primarily in the release date. Version 8.3.2 was released on June 11, 2021, while version 8.3.1 was released a couple of days before, on June 9, 2021. While the unpacked size and file count in the distributed package are identical, suggesting no major code changes, developers should consider this a possible bug fix or hotfix release. Upgrading from 8.3.1 to 8.3.2 is advisable to benefit from any potential stability improvements or minor bug resolutions addressed in the newer version. For most developers, the upgrade should be seamless. PostCSS allows developers to write future-proof CSS. It's maintained by Andrey Sitnik and is licensed under MIT license.
All the vulnerabilities related to the version 8.3.2 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
