PostCSS 8.4.13 represents a minor update to the popular JavaScript tool for transforming styles with plugins, succeeding version 8.4.12. Both versions maintain the same core functionality and licensing under the MIT license, continuing to provide developers with a powerful and versatile way to manipulate CSS through a rich ecosystem of plugins.
The primary visible difference lies in the dependency updates. Version 8.4.13 upgrades the nanoid dependency from ^3.3.1 to ^3.3.3. While seemingly minor, this update could include bug fixes, performance improvements, or security patches within the nanoid library that are beneficial for projects relying on PostCSS. The other dependencies, picocolors and source-map-js, remain at the same versions in both releases, indicating that the focus of this update was primarily on the nanoid dependency.
From a developer's perspective, upgrading from 8.4.12 to 8.4.13 should be straightforward, especially if confident in the backward compatibility of nanoid within their PostCSS plugin configurations. The release dates also highlight the update cadence, with version 8.4.13 released approximately a month and a half after 8.4.12. Choosing between the two versions comes down to project needs: Staying on 8.4.12 is fine unless your project relies on nanoid extensively; in that case, taking the bug fixes of 8.4.13 might be useful.
All the vulnerabilities related to the version 8.4.13 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
