Sourced from postcss's releases.

8.2.14

• Removed source-map from client-side bundle (by @​barak007).

8.2.13

• Fixed ReDoS vulnerabilities in source map parsing (by @​yetingli).

8.2.12

• Fixed package.json exports.

8.2.11

• Fixed DEP0148 warning in Node.js 16.
• Fixed docs (by @​semiromid).

8.2.10

• Fixed ReDoS vulnerabilities in source map parsing.
• Fixed webpack 5 support (by @​barak007).
• Fixed docs (by @​roelandmoors).

8.2.9

• Exported NodeErrorOptions type (by @​realityking)

8.2.8

• Fixed browser builds in webpack 5 (by @​mattcompiles).

8.2.7

• Fixed browser builds in webpack 5 (by @​mattcompiles).

8.2.6

• Fixed Maximum call stack size exceeded in Node#toJSON.
• Fixed docs (by @​inokawa).

8.2.5

• Fixed escaped characters handling in list.split (by @​nex3).

8.2.4

• Added plugin name to postcss.plugin() warning (by @​Alphy11).
• Fixed docs (by @​billcolumbia).

8.2.3

• Fixed JSON.stringify(Node[]) support (by @​mischnic).

8.2.2

• Fixed CSS-in-JS support (by @​43081j).
• Fixed plugin types (by @​ludofischer).
• Fixed Result#warn() types.

8.2.1

• Fixed Node#toJSON() and postcss.fromJSON() (by @​mischnic).

8.2 “Prince Orobas”

... (truncated)

Sourced from postcss's changelog.

8.2.14

• Removed source-map from client-side bundle (by Barak Igal).

8.2.13

• Fixed ReDoS vulnerabilities in source map parsing (by Yeting Li).

8.2.12

• Fixed package.json exports.

8.2.11

• Fixed DEP0148 warning in Node.js 16.
• Fixed docs (by @​semiromid).

8.2.10

• Fixed ReDoS vulnerabilities in source map parsing.
• Fixed webpack 5 support (by Barak Igal).
• Fixed docs (by Roeland Moors).

8.2.9

• Exported NodeErrorOptions type (by Rouven Weßling).

8.2.8

• Fixed browser builds in webpack 4 (by Matt Jones).

8.2.7

• Fixed browser builds in webpack 5 (by Matt Jones).

8.2.6

• Fixed Maximum call stack size exceeded in Node#toJSON.
• Fixed docs (by inokawa).

8.2.5

• Fixed escaped characters handling in list.split (by Natalie Weizenbaum).

8.2.4

• Added plugin name to postcss.plugin() warning (by Tom Williams).
• Fixed docs (by Bill Columbia).

8.2.3

• Fixed JSON.stringify(Node[]) support (by Niklas Mischkulnig).

8.2.2

• Fixed CSS-in-JS support (by James Garbutt).
• Fixed plugin types (by Ludovico Fischer).
• Fixed Result#warn() types.

8.2.1

• Fixed Node#toJSON() and postcss.fromJSON() (by Niklas Mischkulnig).

8.2 “Prince Orobas”

... (truncated)

• ff8e52d Release 8.2.14 version
• 12359ea Update dependencies
• b158dd5 Merge pull request #1571 from barak007/source-map-browser
• de6f33c remove source-map from browser build
• a81cf0d Merge pull request #1570 from oyejorge/main
• 6401871 add postcss-icon-blender
• 030bd25 Release 8.2.13 version
• 41d3f33 Update dependencies
• 8484d27 Clean up tests
• 2b1d04c Merge pull request #1567 from yetingli/main
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Sourced from terser's changelog.

v5.14.2

• Security fix for RegExps that should not be evaluated (regexp DDOS)
• Source maps improvements (#1211)
• Performance improvements in long property access evaluation (#1213)

v5.14.1

• keep_numbers option added to TypeScript defs (#1208)
• Fixed parsing of nested template strings (#1204)

v5.14.0

• Switched to @​jridgewell/source-map for sourcemap generation (#1190, #1181)
• Fixed source maps with non-terminated segments (#1106)
• Enabled typescript types to be imported from the package (#1194)
• Extra DOM props have been added (#1191)
• Delete the AST while generating code, as a means to save RAM

v5.13.1

• Removed self-assignments (varname=varname) (closes #1081)
• Separated inlining code (for inlining things into references, or removing IIFEs)
• Allow multiple identifiers with the same name in var destructuring (eg var { a, a } = x) (#1176)

v5.13.0

• All calls to eval() were removed (#1171, #1184)
• source-map was updated to 0.8.0-beta.0 (#1164)
• NavigatorUAData was added to domprops to avoid property mangling (#1166)

v5.12.1

• Fixed an issue with function definitions inside blocks (#1155)
• Fixed parens of new in some situations (closes #1159)

v5.12.0

• TERSER_DEBUG_DIR environment variable
• @​copyright comments are now preserved with the comments="some" option (#1153)

v5.11.0

• Unicode code point escapes (\u{abcde}) are not emitted inside RegExp literals anymore (#1147)
• acorn is now a regular dependency

v5.10.0

• Massive optimization to max_line_len (#1109)
• Basic support for import assertions
• Marked ES2022 Object.hasOwn as a pure function
• Fix delete optional?.property
• New CI/CD pipeline with github actions (#1057)

... (truncated)

• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

• 7efb22a 1.2.6
• ef88b93 security notice for additional prototype pollution issue
• c2b9819 isConstructorOrProto adapted from PR
• bc8ecee test from prototype pollution PR
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from @​tailwindcss/postcss7-compat's releases.

v2.2.6

Fixed

• Fix issue where base styles not generated for translate transforms in JIT (#5038)

v2.2.5

Added

• Added self-baseline utility (I know this is a patch release, no one's going to die relax) (#5000)

Changed

• JIT: Optimize universal selector usage by inlining only the relevant selectors (#4850))

  This provides a very significant performance boost on pages with a huge number of DOM nodes, but there's a chance it could be a breaking change in very rare edge cases we haven't thought of. Please open an issue if anything related to shadows, rings, transforms, filters, or backdrop-filters seems to be behaving differently after upgrading.

Fixed

• Fix support for step-start and step-end in animation utilities (#4795))
• JIT: Prevent presence of !* in templates from ruining everything (#4816))
• JIT: Improve support for quotes in arbitrary values (#4817))
• Fix filter/backdrop-filter/transform utilities being inserted into the wrong position if not all core plugins are enabled (#4852))
• JIT: Fix @layer rules being mistakenly inserted during incremental rebuilds (#4853))
• Improve build performance for projects with many small non-Tailwind stylesheets (#4644)
• Ensure [hidden] works as expected on elements where we override the default display value in Preflight (#4873)
• Fix variant configuration not being applied to backdropOpacity utilities (#4892)

v2.2.4

Fixed

• Remove postinstall script that was preventing people from installing the library (1eacfb9)

v2.2.3

Added

• Pass extended color palette to theme closures so it can be used without installing Tailwind when using npx tailwindcss (359252c)

Fixed

• JIT: Explicitly error when - is used as a custom separator (#4704)
• JIT: Don't add multiple ~ when stacking peer-* variants (#4757)
• Remove outdated focus style fix in Preflight (#4780)
• Enable purge if provided on the CLI (#4772)
• JIT: Fix error when not using a config file with postcss-cli (#4773)
• Fix issue with resolveConfig not being importable in Next.js pags (#4725)

v2.2.2

Fixed

• JIT: Reintroduce transform, filter, and backdrop-filter classes purely to create stacking contexts to minimize the impact of the breaking change (#4700)

... (truncated)

Sourced from @​tailwindcss/postcss7-compat's changelog.

[2.2.7] - 2021-07-23

Fixed

• Temporarily revert runtime performance optimizations introduced in v2.2.5, use universal selector again (#5060)

[2.2.6] - 2021-07-21

Fixed

• Fix issue where base styles not generated for translate transforms in JIT (#5038)

[2.2.5] - 2021-07-21

Added

• Added self-baseline utility (I know this is a patch release, no one's going to die relax) (#5000)

Changed

• JIT: Optimize universal selector usage by inlining only the relevant selectors (#4850))

  This provides a very significant performance boost on pages with a huge number of DOM nodes, but there's a chance it could be a breaking change in very rare edge cases we haven't thought of. Please open an issue if anything related to shadows, rings, transforms, filters, or backdrop-filters seems to be behaving differently after upgrading.

Fixed

• Fix support for step-start and step-end in animation utilities (#4795))
• JIT: Prevent presence of !* in templates from ruining everything (#4816))
• JIT: Improve support for quotes in arbitrary values (#4817))
• Fix filter/backdrop-filter/transform utilities being inserted into the wrong position if not all core plugins are enabled (#4852))
• JIT: Fix @layer rules being mistakenly inserted during incremental rebuilds (#4853))
• Improve build performance for projects with many small non-Tailwind stylesheets (#4644)
• Ensure [hidden] works as expected on elements where we override the default display value in Preflight (#4873)
• Fix variant configuration not being applied to backdropOpacity utilities (#4892)

[2.2.4] - 2021-06-23

Fixed

• Remove postinstall script that was preventing people from installing the library (1eacfb9)

[2.2.3] - 2021-06-23

Added

• Pass extended color palette to theme closures so it can be used without installing Tailwind when using npx tailwindcss (359252c)

Fixed

• JIT: Explicitly error when - is used as a custom separator (#4704)

... (truncated)

• 5100270 2.2.7
• 8fabe13 Update changelog
• cbf3da0 Hotfix: Use universal selector again (#5060)
• 90da0b3 Rebuild fixtures
• 4d598d5 2.2.6
• e66245f Update changelog
• a76fb7f Fix issue where base styles not generated for translate transforms in JIT (#5...
• 81f9e94 Update version in fixtures
• c1c5cf0 2.2.5
• 92ab98d Update changelog
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Sourced from The GitHub Security Advisory Database.

Regular Expression Denial of Service (ReDOS) A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.

Affected versions: < 1.5.5

Sourced from color-string's releases.

1.6.0

Minor release 1.6.0

• #55 - Add support for space-separated HSL

Thanks @​htunnicliff for the contribution :)

1.5.5 (Patch/Security Release) - hwb() ReDos patch (low-severity)

Release notes copied verbatim from the commit message, which can be found here: 0789e21284c33d89ebc4ab4ca6f759b9375ac9d3

Discovered by Yeting Li, c/o Colin Ife via Snyk.io.
A ReDos (Regular Expression Denial of Service) vulnerability
was responsibly disclosed to me via email by Colin on
Mar 5 2021 regarding an exponential time complexity for
linearly increasing input lengths for hwb() color strings.
Strings reaching more than 5000 characters would see several
milliseconds of processing time; strings reaching more than
50,000 characters began seeing 1500ms (1.5s) of processing time.
The cause was due to a the regular expression that parses
hwb() strings - specifically, the hue value - where
the integer portion of the hue value used a 0-or-more quantifier
shortly thereafter followed by a 1-or-more quantifier.
This caused excessive backtracking and a cartesian scan,
resulting in exponential time complexity given a linear
increase in input length.
Thank you Yeting Li and Colin Ife for bringing this to my
attention in a secure, responsible and professional manner.
A CVE will not be assigned for this vulnerability.

• 1a68f9e 1.6.0
• 2b6f59c Add additional HSL examples to README
• 6f73e20 Update HSL regular expression
• 0264546 Add tests for space-separated HSL syntax
• 966ae4d 1.5.5
• 0789e21 fix ReDos in hwb() parser (low-severity)
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Sourced from The GitHub Security Advisory Database.

Regular Expression Denial of Service in Addressable templates

Impact

Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.

Patches

The vulnerability was introduced in version 2.3.0 (previously yanked) and has been present in all subsequent versions up to, and including, 2.7.0. It is fixed in version 2.8.0.

Workarounds

The vulnerability can be avoided by only creating Template objects from trusted sources that have been validated not to produce catastrophic backtracking.

References

• https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
• https://cwe.mitre.org/data/definitions/1333.html
• https://www.regular-expressions.info/catastrophic.html

For more information

If you have any questions or comments about this advisory:

... (truncated)

Affected versions: > 2.3.0, <= 2.7.0

Sourced from addressable's changelog.

Addressable 2.8.0

• fixes ReDoS vulnerability in Addressable::Template#match
• no longer replaces + with spaces in queries for non-http(s) schemes
• fixed encoding ipv6 literals
• the :compacted flag for normalized_query now dedupes parameters
• fix broken escape_component alias
• dropping support for Ruby 2.0 and 2.1
• adding Ruby 3.0 compatibility for development tasks
• drop support for rack-mount and remove Addressable::Template#generate
• performance improvements
• switch CI/CD to GitHub Actions

• 6469a23 Updating gemspec again
• 2433638 Merge branch 'main' of github.com:sporkmonger/addressable into main
• e9c76b8 Merge pull request #378 from ashmaroli/flat-map
• 56c5cf7 Update the gemspec
• c1fed1c Require a non-vulnerable rake
• 0d8a312 Adding note about ReDoS vulnerability
• 89c7613 Merge branch 'template-regexp' into main
• cf8884f Note about alias fix
• bb03f71 Merge pull request #371 from charleystran/add_missing_encode_component_doc_entry
• 6d1d809 Adding note about :compacted normalization
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Sourced from @​tailwindcss/postcss7-compat's releases.

v2.2.4

Fixed

• Remove postinstall script that was preventing people from installing the library (1eacfb9)

v2.2.3

Added

• Pass extended color palette to theme closures so it can be used without installing Tailwind when using npx tailwindcss (359252c)

Fixed

• JIT: Explicitly error when - is used as a custom separator (#4704)
• JIT: Don't add multiple ~ when stacking peer-* variants (#4757)
• Remove outdated focus style fix in Preflight (#4780)
• Enable purge if provided on the CLI (#4772)
• JIT: Fix error when not using a config file with postcss-cli (#4773)
• Fix issue with resolveConfig not being importable in Next.js pags (#4725)

v2.2.2

Fixed

• JIT: Reintroduce transform, filter, and backdrop-filter classes purely to create stacking contexts to minimize the impact of the breaking change (#4700)

v2.2.1

Fixed

• Recover from errors gracefully in CLI watch mode (#4693)
• Fix issue with media queries not being generated properly when using PostCSS 7 (#4695)

v2.2.0

Tailwind CSS v2.2.0

Six weeks ago I didn't even have v2.2 on my roadmap and yet somehow here we are today, with one of the biggest Tailwind CSS feature releases of all-time?!

This release is loaded with tons of cool new stuff, mostly targeting the new Just-in-Time mode which unlocks so many cool ideas we probably couldn't have pulled off if we had to keep being mindful of the CSS file size in development.

To upgrade, install the latest version via npm:

npm install -D [email protected]

Note that we've had to make a couple small changes to the JIT engine as we've added features, fixed bugs, and improved the overall reliability, so make sure to read about the changes and deprecations when upgrading if you are using just-in-time mode.

• New features

  • All-new improved Tailwind CLI
  • Before and after variants
  • First-letter/line variants

... (truncated)

Sourced from @​tailwindcss/postcss7-compat's changelog.

[2.2.4] - 2021-06-23

Fixed

• Remove postinstall script that was preventing people from installing the library (1eacfb9)

[2.2.3] - 2021-06-23

Added

• Pass extended color palette to theme closures so it can be used without installing Tailwind when using npx tailwindcss (359252c)

Fixed

• JIT: Explicitly error when - is used as a custom separator (#4704)
• JIT: Don't add multiple ~ when stacking peer-* variants (#4757)
• Remove outdated focus style fix in Preflight (#4780)
• Enable purge if provided on the CLI (#4772)
• JIT: Fix error when not using a config file with postcss-cli (#4773)
• Fix issue with resolveConfig not being importable in Next.js pags (#4725)

[2.2.2] - 2021-06-18

Fixed

• JIT: Reintroduce transform, filter, and backdrop-filter classes purely to create stacking contexts to minimize the impact of the breaking change (#4700)

[2.2.1] - 2021-06-18

Fixed

• Recover from errors gracefully in CLI watch mode (#4693)
• Fix issue with media queries not being generated properly when using PostCSS 7 (#4695)

[2.2.0] - 2021-06-17

Changed

• JIT: Use "tracking" context by default instead of "watching" context for improved reliability with most bundlers (#4514)

  Depending on which tooling you use, you may need to explicitly set TAILWIND_MODE=watch until your build runner has been updated to support PostCSS's dir-dependency message type.

Added

• Add background-origin utilities (#4117)
• Improve @apply performance in projects that process many CSS sources (#3178)
• JIT: Don't use CSS variables for color utilities if color opacity utilities are disabled (#3984)
• JIT: Redesign matchUtilities API to make it more suitable for third-party use (#4232)
• JIT: Support applying important utility variants (#4260)
• JIT: Support coercing arbitrary values when the type isn't detectable (#4263)

... (truncated)

• d852de6 2.2.4
• 1eacfb9 Remove postinstall script
• 91a441d Update fixtures
• 041eed0 2.2.3
• bbb6517 Update changelog
• 384a0d0 Update changelog
• 246539d Update changelog
• 063eca6 Remove outdated focus style fix (#4780)
• c0ee520 Generate plugin list file (#4725)
• 973d53d fix: do not return the userConfigPath if its null (#4773)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Sourced from The GitHub Security Advisory Database.

Regular Expression Denial of Service (ReDOS) A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.

Affected versions: < 1.5.5

Sourced from color-string's releases.

1.5.5 (Patch/Security Release) - hwb() ReDos patch (low-severity)

Release notes copied verbatim from the commit message, which can be found here: 0789e21284c33d89ebc4ab4ca6f759b9375ac9d3

Discovered by Yeting Li, c/o Colin Ife via Snyk.io.
A ReDos (Regular Expression Denial of Service) vulnerability
was responsibly disclosed to me via email by Colin on
Mar 5 2021 regarding an exponential time complexity for
linearly increasing input lengths for hwb() color strings.
Strings reaching more than 5000 characters would see several
milliseconds of processing time; strings reaching more than
50,000 characters began seeing 1500ms (1.5s) of processing time.
The cause was due to a the regular expression that parses
hwb() strings - specifically, the hue value - where
the integer portion of the hue value used a 0-or-more quantifier
shortly thereafter followed by a 1-or-more quantifier.
This caused excessive backtracking and a cartesian scan,
resulting in exponential time complexity given a linear
increase in input length.
Thank you Yeting Li and Colin Ife for bringing this to my
attention in a secure, responsible and professional manner.
A CVE will not be assigned for this vulnerability.

• 966ae4d 1.5.5
• 0789e21 fix ReDos in hwb() parser (low-severity)
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Sourced from @​tailwindcss/postcss7-compat's releases.

v2.2.2

Fixed

• JIT: Reintroduce transform, filter, and backdrop-filter classes purely to create stacking contexts to minimize the impact of the breaking change (#4700)

v2.2.1

Fixed

• Recover from errors gracefully in CLI watch mode (#4693)
• Fix issue with media queries not being generated properly when using PostCSS 7 (#4695)

v2.2.0

Tailwind CSS v2.2.0

Six weeks ago I didn't even have v2.2 on my roadmap and yet somehow here we are today, with one of the biggest Tailwind CSS feature releases of all-time?!

This release is loaded with tons of cool new stuff, mostly targeting the new Just-in-Time mode which unlocks so many cool ideas we probably couldn't have pulled off if we had to keep being mindful of the CSS file size in development.

To upgrade, install the latest version via npm:

npm install -D [email protected]

Note that we've had to make a couple small changes to the JIT engine as we've added features, fixed bugs, and improved the overall reliability, so make sure to read about the changes and deprecations when upgrading if you are using just-in-time mode.

• New features

  • All-new improved Tailwind CLI
  • Before and after variants
  • First-letter/line variants
  • Selected text variants
  • List marker variants
  • Sibling selector variants
  • Exhaustive pseudo-class support
  • Shorthand color opacity syntax
  • Extended arbitrary value support
  • Improved nesting support
  • Caret color utilities
  • Background origin utilities
  • Simplified transform and filter composition
  • Per-side border color utilities
  • Built-in safelist, transform, and extract support

• Changes and deprecations

• Fixes and improvements

---

... (truncated)

Sourced from @​tailwindcss/postcss7-compat's changelog.

[2.2.2] - 2021-06-18

Fixed

• JIT: Reintroduce transform, filter, and backdrop-filter classes purely to create stacking contexts to minimize the impact of the breaking change (#4700)

[2.2.1] - 2021-06-18

Fixed

• Recover from errors gracefully in CLI watch mode (#4693)
• Fix issue with media queries not being generated properly when using PostCSS 7 (#4695)

[2.2.0] - 2021-06-17

Changed

• JIT: Use "tracking" context by default instead of "watching" context for improved reliability with most bundlers (#4514)

  Depending on which tooling you use, you may need to explicitly set TAILWIND_MODE=watch until your build runner has been updated to support PostCSS's dir-dependency message type.

Added

• Add background-origin utilities (#4117)
• Improve @apply performance in projects that process many CSS sources (#3178)
• JIT: Don't use CSS variables for color utilities if color opacity utilities are disabled (#3984)
• JIT: Redesign matchUtilities API to make it more suitable for third-party use (#4232)
• JIT: Support applying important utility variants (#4260)
• JIT: Support coercing arbitrary values when the type isn't detectable (#4263)
• JIT: Support for raw syntax in purge config (#4272)
• Add empty variant (#3298)
• Update modern-normalize to v1.1 (#4287)
• Implement theme function internally, remove postcss-functions dependency (#4317)
• Add screen function to improve nesting plugin compatibility (#4318)
• JIT: Add universal shorthand color opacity syntax (#4348)
• JIT: Add @tailwind variants directive to replace @tailwind screens (#4356)
• JIT: Add support for PostCSS dir-dependency messages in TAILWIND_DISABLE_TOUCH mode (#4388)
• JIT: Add per-side border color utilities (#4404)
• JIT: Add support for before and after pseudo-element variants and content utilities (#4461)
• Add new transform and extract APIs to simplify PurgeCSS/JIT customization (#4469)
• JIT: Add exhaustive pseudo-class and pseudo-element variant support (#4482)
• JIT: Add caret-color utilities (#4499)
• Rename lightBlue to sky, emit console warning when using deprecated name (#4513)
• New CLI with improved JIT support, --watch mode, and more (#4526, 4558)
• JIT: Add new peer-* variants for styling based on sibling state (#4556)
• Expose safelist as a top-level option under purge for both JIT and classic engines (#4580)
• JIT: Remove need for transform class when using classes like scale-*, rotate-*, etc. (#4604)
• JIT: Remove need for filter and backdrop-filter classes when using classes like contrast-*, backdrop-blur-*, etc. (#4614)
• Support passing a custom path for your PostCSS configuration in the Tailwind CLI (#4607)
• Add blur-none by default with intent to deprecate blur-0 (#4614)

... (truncated)

• 9e77d74 2.2.2
• f425661 rebuild fixtures
• 39db485 update changelog
• f6e36c2 Fix stacking context issue (#4700)
• 2fd6575 2.2.1
• ea7b3f6 rebuild fixtures
• ade93d2 update changelog
• 0148ee9 Update changelog
• 0b6176b Fix media queries for postcss7 (#4695)
• 70ca673 ensure the CLI in watch mode keeps running when on error (#4693)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Sourced from postcss's releases.

7.0.36

• Backport ReDoS vulnerabilities from PostCSS 8.

Sourced from postcss's changelog.

7.0.36

• Backport ReDoS vulnerabilities from PostCSS 8.

• 67e3d7b Release 7.0.36 version
• 54cbf3c Backport ReDoS vulnerabilities from PostCSS 8
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.