Tailwind CSS, a utility-first CSS framework designed for rapid UI development, saw a minor version update from 1.9.3 to 1.9.4. Both versions share the same core dependencies critical for functionality, including tools for: processing CSS (PostCSS), managing colors and values (Chalk, Color), handling JavaScript-based PostCSS configurations (PostCSS-js), purging unused CSS (PurgeCSS), and ensuring browser compatibility (Autoprefixer, Browserslist). The development dependencies necessary for building and testing, like Jest, ESLint, Prettier, and Babel, also remain the same.
While superficially identical, the crucial difference lies in the updated package metadata. The dist section of version 1.9.4 showcases a smaller unpacked size (19977333 bytes) compared to version 1.9.3 (21412324 bytes), implying potential optimizations or reductions in the overall package size. This can be interesting for developers concerned about build times and deployment footprints. Furthermore, the releaseDate indicates that 1.9.4 was released shortly after 1.9.3 (October 17, 2020, versus October 16, 2020), and likely contained minor bug fixes or tweaks. Developers are advised to use the newest versions to be up-to-date in terms of bugfixes.
All the vulnerabilities related to the version 1.9.4 of the package
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
