PostCSS version 8.4.17 is a minor update to the popular JavaScript tool for transforming styles with plugins, building upon version 8.4.16. Both versions share the same core dependencies: nanoid, picocolors, and source-map-js, ensuring compatibility and a consistent developer experience. They are also both released under the MIT license, providing developers with the freedom to use, modify, and distribute the software. Both versions are authored by Andrey Sitnik, aiming to provide accessible style transformation features.
The key difference between the two versions lies in their release date and the size of the unpacked package. Version 8.4.17 was released on September 30, 2022, while version 8.4.16 was released on August 6, 2022. While the file count remains constant at 54, version 8.4.17 shows a slight increase in unpacked size to 186908 compared to 186792 in version 8.4.16. This increment suggests the introduction of minor fixes, performance improvements, or small feature additions that could potentially benefit developers using PostCSS. As minor releases, both version 8.4.16 and 8.4.17 maintain backward compatibility, ensuring older PostCSS configurations should work seamlessly. Developers are encouraged to upgrade to the latest version due to the fixes and improvements. PostCSS continues to be actively supported through Open Collective and Tidelift.
All the vulnerabilities related to the version 8.4.17 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
