PostCSS version 8.4.19 represents a minor update to the popular CSS transformation tool, succeeding version 8.4.18. Both versions, designed for transforming styles with JavaScript plugins, share core dependencies like nanoid, picocolors, and source-map-js, indicating a consistent foundation for their functionality. The library is licensed under the MIT license and further benefits from funding through Open Collective and Tidelift.
A key difference lies in the release date, with version 8.4.19 being released on November 10, 2022, while version 8.4.18 was released on October 12, 2022. Looking at the dist object, we can observe very small differences in unpackedSize, which suggest that 8.4.19 may incorporate subtle bug fixes, performance enhancements, or minor internal adjustments. Developers should likely upgrade to version 8.4.19 to leverage the latest improvements and ensure compatibility with the broader ecosystem of PostCSS plugins. While the core feature set remains consistent, such iterative updates are crucial for maintaining stability and reliability in production environments. Also, bear in mind that it provides the same API as the previous release and there are no breaking changes, so the update must be painless.
All the vulnerabilities related to the version 8.4.19 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
