PostCSS version 8.4.27 introduces subtle improvements over its predecessor, 8.4.26, while maintaining the core functionality as a powerful tool for transforming styles with JavaScript plugins. Both versions share identical dependency requirements, relying on nanoid, picocolors, and source-map-js for their internal operations. This indicates no breaking changes or significant feature additions reflected in the dependency tree between the releases.
The primary discernible difference lies in the dist object's unpackedSize. Version 8.4.27 boasts a slightly larger unpacked size of 195586 bytes compared to 8.4.26's 195300 bytes. This 286 bytes increase suggests minor code optimizations, bug fixes, or documentation updates within the package. While seemingly negligible, such refinements can contribute to enhanced performance or stability.
Developers should note that both versions are licensed under the MIT license, promoting open-source use and modification. The consistent funding avenues through Open Collective, Tidelift, and GitHub Sponsors highlight the project's commitment to sustainability and community support. The releases are relatively close in time, with 8.4.27 released on July 21, 2023, and 8.4.26 on July 13, 2023, suggesting a responsive development cycle addressing ongoing needs and improvements. It is recommended to use the latest version.
All the vulnerabilities related to the version 8.4.27 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
