Skip to content

fix(deps): override postcss ^8.5.16 (GHSA-qx2v-qp2m-jg93)#170

Merged
EmiyaKiritsugu3 merged 2 commits into
mainfrom
fix/postcss-cve-override
Jul 4, 2026
Merged

fix(deps): override postcss ^8.5.16 (GHSA-qx2v-qp2m-jg93)#170
EmiyaKiritsugu3 merged 2 commits into
mainfrom
fix/postcss-cve-override

Conversation

@EmiyaKiritsugu3

@EmiyaKiritsugu3 EmiyaKiritsugu3 commented Jul 4, 2026

Copy link
Copy Markdown
Owner

Closes #156.

Dependabot #156 fails audit: next@15.5.20 bundles nested postcss@8.4.31 (<8.5.10, XSS GHSA-qx2v-qp2m-jg93). Dependabot can only bump top-level postcss, not the transitive copy inside next/node_modules/.

npm overrides forces ^8.5.16 transitively — all postcss instances now resolve to 8.5.16.

Verification:

  • npm ls postcss → single 8.5.16, no nested 8.4.31
  • npm audit --audit-level=high → 0 high

Summary by cubic

Force postcss to ^8.5.16 via npm overrides to patch the XSS vulnerability (GHSA-qx2v-qp2m-jg93) coming from next’s nested postcss@8.4.31, and remove the unused postcss devDependency. Also add ADR-001 documenting the Recharts 3 upgrade and un-ignore ADR files. Closes #156.

  • Dependencies
    • Add "overrides": { "postcss": "^8.5.16" } so all transitive installs resolve to 8.5.16 (including next).
    • Drop postcss from devDependencies.

Written for commit 6fc96bb. Summary will update on new commits.

Review in cubic

Summary by CodeRabbit

  • Chores
    • Updated a project dependency version to keep the app’s build environment current and consistent.

….4.31 (GHSA-qx2v-qp2m-jg93)

postcss is not imported directly — postcss.config.mjs uses types only,
@tailwindcss/postcss bundles its own, Next ships a nested 8.4.31.
npm override forces the transitive version across all install contexts.

Closes #156.
@vercel

vercel Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
smartmanagementsystem Ready Ready Preview, Comment Jul 4, 2026 12:10pm

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

The postcss dependency entry was removed from its prior location in package.json and re-added under the overrides section with the version bumped from ^8.5.15 to ^8.5.16.

Changes

Dependency Version Update

Layer / File(s) Summary
postcss override bump
package.json
postcss removed from its previous location and re-specified under overrides at version ^8.5.16.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Related issues: #156 (chore(deps-dev): bump postcss from 8.5.15 to 8.5.16)

Suggested labels: dependencies

Suggested reviewers: EmiyaKiritsugu3

Poem

A rabbit hops through lockfile trees,
One version up, as light as breeze,
postcss now sits in overrides' nest,
A tiny hop, a tidy quest. 🐇

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description explains the change, but it does not follow the repo template sections for type, related documents, or checklist. Add the required ## Type of Change, ## Related Documents, and ## Checklist sections, and fill them out with the relevant items.
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The change addresses #156 by moving PostCSS to 8.5.16 via npm overrides, satisfying the requested bump.
Out of Scope Changes check ✅ Passed The diff is limited to the PostCSS dependency adjustment and removal of the old devDependency.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check ✅ Passed The title clearly states the PostCSS 8.5.16 override and matches the security-focused change in the diff.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/postcss-cve-override

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@ecc-tools

ecc-tools Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

ECC bundle files are already tracked in this repository. Skipping generation of another bundle PR.

@sonarqubecloud

sonarqubecloud Bot commented Jul 4, 2026

Copy link
Copy Markdown

@EmiyaKiritsugu3 EmiyaKiritsugu3 merged commit 816d961 into main Jul 4, 2026
14 checks passed
@EmiyaKiritsugu3 EmiyaKiritsugu3 deleted the fix/postcss-cve-override branch July 4, 2026 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant