PostCSS version 8.3.4 represents a minor update to the popular CSS transformation tool, building upon the foundation laid by version 8.3.3. Both versions share the same core dependencies – nanoid for generating unique IDs, colorette for colorful console output, and source-map-js for robust source map handling – ensuring consistent functionality for developers. The license, repository details, author information (Andrey Sitnik), and funding information remain consistent, indicating no fundamental shift in the project's governance or support.
The key difference between the two releases lies primarily in the dist section. Version 8.3.4 features a slightly larger unpackedSize of 188783 bytes compared to 8.3.3's 188709 bytes, a minuscule change likely indicative of bug fixes, minor performance tweaks, or documentation updates rather than significant feature additions. Both versions comprise 51 files. Most importantly, version 8.3.4's releaseDate is later than 8.3.3 suggesting this new release includes improvements and/or bugfixes. Developers might choose to upgrade to 8.3.4 to benefit from these refinements and ensure they are using the most up-to-date and potentially more stable iteration of PostCSS.
If you are already using PostCSS 8.3.3, upgrading is generally advised as it likely introduces improvements with minimal risk of breaking changes.
All the vulnerabilities related to the version 8.3.4 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
