This repository was archived by the owner on Sep 11, 2025. It is now read-only.

chore(deps): update dependency postcss to v8.4.31 [security]#7505

Open

renovate[bot] wants to merge 1 commit intomainfrom

renovate/npm-postcss-vulnerability

Contributor

renovate bot commented Jan 24, 2025

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
postcss (source)	`8.4.16` -> `8.4.31`

Test plan: CI should pass with updated dependencies. No review required: this is an automated dependency update PR.

GitHub Vulnerability Alerts

CVE-2023-44270

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.

Release Notes

postcss/postcss (postcss)

`v8.4.31`

Fixed \r parsing to fix CVE-2023-44270.

`v8.4.30`

Improved source map performance (by Romain Menke).

`v8.4.29`

Fixed Node#source.offset (by Ido Rosenthal).
Fixed docs (by Christian Oliff).

`v8.4.28`

Fixed Root.source.end for better source map (by Romain Menke).
Fixed Result.root types when process() has no parser.

`v8.4.27`

Fixed Container clone methods types.

`v8.4.26`

Fixed clone methods types.

`v8.4.25`

Improve stringify performance (by Romain Menke).
Fixed docs (by @vikaskaliramna07).

`v8.4.24`

Fixed Plugin types.

`v8.4.23`

Fixed warnings in TypeDoc.

`v8.4.22`

Fixed TypeScript support with node16 (by Remco Haszing).

`v8.4.21`

Fixed Input#error types (by Aleks Hudochenkov).

`v8.4.20`

Fixed source map generation for childless at-rules like @layer.

`v8.4.19`

Fixed whitespace preserving after AST transformations (by Romain Menke).

`v8.4.18`

Fixed an error on absolute: true with empty sourceContent (by Rene Haas).

`v8.4.17`

Fixed Node.before() unexpected behavior (by Romain Menke).
Added TOC to docs (by Mikhail Dedov).

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot added the bot label

netlify bot commented Jan 24, 2025 •

edited

Loading

✅ Deploy Preview for sourcegraph ready!

Name	Link
🔨 Latest commit	`edcafec`
🔍 Latest deploy log	https://app.netlify.com/sites/sourcegraph/deploys/67a8c29660a1850008f67be9
😎 Deploy Preview	https://deploy-preview-7505--sourcegraph.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

renovate bot force-pushed the renovate/npm-postcss-vulnerability branch 3 times, most recently from e729e67 to 8cf69da Compare

February 2, 2025 02:26


          chore(deps): update dependency postcss to v8.4.31 [security]

edcafec

renovate bot force-pushed the renovate/npm-postcss-vulnerability branch from 8cf69da to edcafec Compare

February 9, 2025 14:58

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

bot