fix(deps): override postcss ^8.5.16 (GHSA-qx2v-qp2m-jg93)#170
Conversation
….4.31 (GHSA-qx2v-qp2m-jg93) postcss is not imported directly — postcss.config.mjs uses types only, @tailwindcss/postcss bundles its own, Next ships a nested 8.4.31. npm override forces the transitive version across all install contexts. Closes #156.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
WalkthroughThe ChangesDependency Version Update
Estimated code review effort: 1 (Trivial) | ~2 minutes Related issues: Suggested labels: dependencies Suggested reviewers: EmiyaKiritsugu3 Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…ecisions/ADR-*.md
|
ECC bundle files are already tracked in this repository. Skipping generation of another bundle PR. |
|



Closes #156.
Dependabot #156 fails audit:
next@15.5.20bundles nestedpostcss@8.4.31(<8.5.10, XSS GHSA-qx2v-qp2m-jg93). Dependabot can only bump top-levelpostcss, not the transitive copy insidenext/node_modules/.npm
overridesforces ^8.5.16 transitively — allpostcssinstances now resolve to 8.5.16.Verification:
npm ls postcss→ single 8.5.16, no nested 8.4.31npm audit --audit-level=high→ 0 highSummary by cubic
Force
postcssto ^8.5.16 via npmoverridesto patch the XSS vulnerability (GHSA-qx2v-qp2m-jg93) coming fromnext’s nestedpostcss@8.4.31, and remove the unusedpostcssdevDependency. Also add ADR-001 documenting the Recharts 3 upgrade and un-ignore ADR files. Closes #156."overrides": { "postcss": "^8.5.16" }so all transitive installs resolve to 8.5.16 (includingnext).postcssfromdevDependencies.Written for commit 6fc96bb. Summary will update on new commits.
Summary by CodeRabbit