PostCSS 8.4.14 represents a subtle but important update to the popular tool for transforming styles with JavaScript plugins, succeeding version 8.4.13. Both versions, licensed under MIT, share the same core functionality of enabling developers to manipulate CSS using a plugin-based architecture, making them ideal for tasks like autoprefixing, future CSS syntax adoption, and style linting. Key dependencies like picocolors and source-map-js remain consistent between the two versions. However, the crucial change lies in the updated nanoid dependency, moving from version 3.3.3 in 8.4.13 to version 3.3.4 in 8.4.14. While seemingly minor, this nanoid update likely addresses bug fixes or performance improvements within the unique ID generation library itself, potentially enhancing the stability and efficiency of plugins relying on nanoid for generating unique identifiers. Furthermore, the release date difference highlights ongoing maintenance and commitment to the project, with version 8.4.14 being released more recently reflecting a dedication to continuous improvement. Developers should consider upgrading to version 8.4.14 to benefit from the latest refinements in its dependencies and to ensure the most up-to-date and reliable PostCSS experience, paying close attention to changes in dependency. Also the unpacked size is slightly bigger.
All the vulnerabilities related to the version 8.4.14 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
