chore(deps): update dependency postcss to v8.5.10 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
postcss (source)	8.5.8 → 8.5.10

---

PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

CVE-2026-41305 / GHSA-qx2v-qp2m-jg93

More information

Details

PostCSS: XSS via Unescaped </style> in CSS Stringify Output

Summary

PostCSS v8.5.5 (latest) does not escape </style> sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML <style> tags, </style> in CSS values breaks out of the style context, enabling XSS.

Proof of Concept

const postcss = require('postcss');

// Parse user CSS and re-stringify for page embedding
const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }';
const ast = postcss.parse(userCSS);
const output = ast.toResult().css;
const html = `<style>${output}</style>`;

console.log(html);
// <style>body { content: "</style><script>alert(1)</script><style>"; }</style>
//
// Browser: </style> closes the style tag, <script> executes

Tested output (Node.js v22, postcss v8.5.5):

Input: body { content: "</style><script>alert(1)</script><style>"; }
Output: body { content: "</style><script>alert(1)</script><style>"; }
Contains </style>: true

Impact

Impact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website.

Suggested Fix

Escape </style in all stringified output values:

output = output.replace(/<\/(style)/gi, '<\\/$1');

Credits

Discovered and reported by Sunil Kumar (@​TharVid)

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

• https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93
• https://nvd.nist.gov/vuln/detail/CVE-2026-41305
• https://github.com/postcss/postcss/releases/tag/8.5.10
• https://github.com/advisories/GHSA-qx2v-qp2m-jg93

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

postcss/postcss (postcss)

v8.5.10

Compare Source

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

v8.5.9

Compare Source

• Speed up source map encoding paring in case of the error.

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[github-actions]

🚀 Preview Environment Ready!

30 deployed applications (click to expand)

Name	Status	URL
tanstack-start-basic-example	✅ Active	https://testuser-57402-tanstack-start-basic-example-zephy-98732d0... ↗
rspress-v2	✅ Active	https://testuser-57407-rspress-v2-zephyr-packages-zephyrc-7a835d8... ↗
sample-webpack-application	✅ Active	https://testuser-57423-sample-webpack-application-zephyr--5f3ed17... ↗
mf-react-rsbuild-provider	✅ Active	https://testuser-57431-mf-react-rsbuild-provider-zephyr-p-c2ae175... ↗
rsbuild-sample-app	✅ Active	https://testuser-57409-rsbuild-sample-app-zephyr-packages-a45d9fb... ↗
lynx	✅ Active	https://testuser-57411-lynx-zephyr-packages-zephyrcloudio-59706d2... ↗
hono-app	✅ Active	https://testuser-57420-hono-app-zephyr-packages-zephyrclo-44b9664... ↗
sample-rspack-application	✅ Active	https://testuser-57415-sample-rspack-application-zephyr-p-28ae267... ↗
elysia-app	✅ Active	https://testuser-57417-elysia-app-zephyr-packages-zephyrc-2be824c... ↗
rspack-mf-remote	✅ Active	https://testuser-57413-rspack-mf-remote-zephyr-packages-z-0a3a944... ↗
vite-remote	✅ Active	https://testuser-57421-vite-remote-zephyr-packages-zephyr-34c7dd4... ↗
team-green	✅ Active	https://testuser-57416-team-green-zephyr-packages-zephyrc-e7b9a25... ↗
mf-react-rsbuild	✅ Active	https://testuser-57410-mf-react-rsbuild-zephyr-packages-z-d2a78ab... ↗
modern-js	✅ Active	https://testuser-57435-modern-js-zephyr-packages-zephyrcl-c6641b8... ↗
vite-host	✅ Active	https://testuser-57418-vite-host-zephyr-packages-zephyrcl-99b7a88... ↗
rollup-sample-lib	✅ Active	https://testuser-57401-rollup-sample-lib-zephyr-packages--321bdea... ↗
vite-react-ts	✅ Active	https://testuser-57419-vite-react-ts-zephyr-packages-zeph-29463fb... ↗
rolldown-react	✅ Active	https://testuser-57403-rolldown-react-zephyr-packages-zep-e97873b... ↗
vite-rspack	✅ Active	https://testuser-57412-vite-rspack-zephyr-packages-zephyr-1980d78... ↗
team-red	✅ Active	https://testuser-57414-team-red-zephyr-packages-zephyrclo-92e3b4f... ↗
vite-webpack	✅ Active	https://testuser-57424-vite-webpack-zephyr-packages-zephy-5dd9c38... ↗
rspress-v1	✅ Active	https://testuser-57437-rspress-v1-zephyr-packages-zephyrc-9e1e836... ↗
nuxt	✅ Active	https://testuser-57439-nuxt-zephyr-packages-zephyrcloudio-4a20546... ↗
rspack-nx-mf-host	✅ Active	https://testuser-57404-rspack-nx-mf-host-zephyr-packages--0d67227... ↗
rspack-mf-host	✅ Active	https://testuser-57425-rspack-mf-host-zephyr-packages-zep-0b030b2... ↗
team-blue	✅ Active	https://testuser-57422-team-blue-zephyr-packages-zephyrcl-ddaa8f2... ↗
rspack-nx-mf-remote	✅ Active	https://testuser-57400-rspack-nx-mf-remote-zephyr-package-c862b8a... ↗
vinext-hackernews	✅ Active	https://testuser-57443-vinext-hackernews-zephyr-packages--7dc1d3f... ↗
parcel-react	✅ Active	https://testuser-57406-parcel-react-zephyr-packages-zephy-84a7e91... ↗
astro-blog	✅ Active	https://testuser-57408-astro-blog-zephyr-packages-zephyrc-6232d96... ↗

Details:

• Latest Commit: 347320b
• Updated at: 5/18/2026, 7:07:24 PM