PostCSS 8.4.30 represents a subtle but noteworthy update in the popular JavaScript tool for transforming styles with plugins. While seemingly incremental, moving from version 8.4.29, developers should be aware of the changes, even if the core functionality remains consistent. Both versions share identical dependencies, relying on nanoid, picocolors, and source-map-js for core functionality. This suggests the changes are unlikely to introduce breaking changes or require significant code adjustments for existing PostCSS implementations. The licensing (MIT), repository details, author, and funding mechanisms are also consistent, emphasizing the project's continued commitment to open-source principles and financial sustainability.
The primary difference lies in the dist section, specifically the unpackedSize and releaseDate. Version 8.4.30 shows a slight increase in unpacked size (196515 bytes vs 196422 bytes in 8.4.29). This suggests minor code alterations, potentially bug fixes, performance improvements, or small feature additions. The updated releaseDate indicates that version 8.4.30 incorporates the latest changes, potentially addressing recently discovered issues. While the core functionality remains the same, those seeking the most up-to-date and potentially refined version of PostCSS should opt for version 8.4.30. Upgrading is generally recommended to benefit from potential bug fixes and subtle enhancements, especially when no major breaking changes are anticipated.
All the vulnerabilities related to the version 8.4.30 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
