PostCSS 8.4.28 is a minor release of the popular JavaScript tool for transforming styles with plugins, building upon version 8.4.27. Both versions share the same core dependencies: nanoid for generating unique IDs, picocolors for enhanced console output, and source-map-js for source map handling. The licensing, repository details, author information, and funding avenues remain consistent, indicating a continuation of the project's established support and maintainership.
The primary difference lies in the "dist" section, specifically the unpackedSize. Version 8.4.28 has an unpacked size of 196218 bytes, slightly larger than version 8.4.27's 195586 bytes. This suggests that bug fixes have been applied or minor code inclusions have added to the 8.4.28 version. While the file count remains consistent at 55, the subtle size variation may hide important internal adjustments. Moreover, v8.4.28 has been released on 2023-08-15 while v8.4.27 was on 2023-07-21.
For developers, this signifies a potentially more stable and refined version that is released almost a month after. The subtle difference should not require a change of workflow in the vast majority of software projects, but its usage for new projects or existing ones is recommended. Developers benefit from leveraging PostCSS to automate CSS tasks, enhance performance, and maintain code quality through its modular plugin ecosystem that can deal with features such as linting, autoprefixing, and future syntax adaptation.
All the vulnerabilities related to the version 8.4.28 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
