PostCSS version 8.4.25 represents a subtle but potentially important update over its predecessor, version 8.4.24, for developers leveraging this powerful CSS transformation tool. Both versions share a common foundation, including core dependencies like nanoid, picocolors, and source-map-js, ensuring continued compatibility with existing projects. They are also licensed under MIT, offering flexibility in usage and modification, and are backed by the same funding initiatives.
The primary difference between the two lies in the dist object, specifically the unpackedSize. Version 8.4.25 reports a size of 195349 bytes, while 8.4.24 reports 193541 bytes. This suggests refinements and improvements in the later version, which may encompass bug fixes, performance optimizations, or minor feature enhancements bundled within the library. The update was released on July 6th, 2023, offering a more recent snapshot versus the earlier May 28th, 2023, release date of version 8.4.24.
While the core functionality and dependencies remain consistent, developers are advised to upgrade to 8.4.25 to benefit from these potential improvements and ensure they're operating with the most current and refined version of the library. Even though the difference in size is not so big, this upgrade is advisable when starting a new project, and it could be valuable for existing users looking for the most recent bug fixes and minor improvements. Remember to test after upgrade to check for possible regressions.
All the vulnerabilities related to the version 8.4.25 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
