Skip to content

chore(deps): update dependency postcss to v8.5.10 [security]#69

Closed
renovate[bot] wants to merge 37 commits into
mainfrom
renovate/npm-postcss-vulnerability
Closed

chore(deps): update dependency postcss to v8.5.10 [security]#69
renovate[bot] wants to merge 37 commits into
mainfrom
renovate/npm-postcss-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 29, 2026

This PR contains the following updates:

Package Change Age Confidence
postcss (source) 8.5.98.5.10 age confidence

PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

CVE-2026-41305 / GHSA-qx2v-qp2m-jg93

More information

Details

PostCSS: XSS via Unescaped </style> in CSS Stringify Output
Summary

PostCSS v8.5.5 (latest) does not escape </style> sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML <style> tags, </style> in CSS values breaks out of the style context, enabling XSS.

Proof of Concept
const postcss = require('postcss');

// Parse user CSS and re-stringify for page embedding
const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }';
const ast = postcss.parse(userCSS);
const output = ast.toResult().css;
const html = `<style>${output}</style>`;

console.log(html);
// <style>body { content: "</style><script>alert(1)</script><style>"; }</style>
//
// Browser: </style> closes the style tag, <script> executes

Tested output (Node.js v22, postcss v8.5.5):

Input: body { content: "</style><script>alert(1)</script><style>"; }
Output: body { content: "</style><script>alert(1)</script><style>"; }
Contains </style>: true
Impact

Impact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website.

Suggested Fix

Escape </style in all stringified output values:

output = output.replace(/<\/(style)/gi, '<\\/$1');
Credits

Discovered and reported by Sunil Kumar (@​TharVid)

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

postcss/postcss (postcss)

v8.5.10

Compare Source

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

banshee86vr and others added 30 commits December 11, 2025 14:47
@banshee86vr
feat: Add application skeleton
c10dba9
@banshee86vr
fix: Tuning table layout
b76c0a1
@banshee86vr
chore(deps): refresh pnpm lockfile
b6730d4 
- nodemailer ^8, express-rate-limit; pnpm update -r
- ESLint 9 flat config; vitest passWithNoTests

Made-with: Cursor
@banshee86vr
fix: Add CI pipelines
cc82336
@banshee86vr
fix: Pin trivy github action to v0.35.0 version
05510db
@banshee86vr
fix: Fix dependencies
577698f
@banshee86vr
fix: Fix dependencies
17f41e1
@banshee86vr
fix: Fix dependencies
d6a6b6b
@dependabot
chore(deps): Bump node from 20-alpine to 25-alpine in /docker (#17)
2e11297 
Bumps node from 20-alpine to 25-alpine.

---
updated-dependencies:
- dependency-name: node
  dependency-version: 25-alpine
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@renovate @banshee86vr
chore(deps): update nginx docker tag to v1.29 (#16)
b785c93 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Luca Bertelli <53040714+banshee86vr@users.noreply.github.com>
@renovate @banshee86vr
chore(deps): update dependency typescript to v6 (#26)
ebe23ab 
* chore(deps): update dependency typescript to v6

* fix: restore frontend build on TypeScript 6

Remove the deprecated frontend tsconfig baseUrl setting.
This keeps the app building after the TypeScript 6 upgrade.

Made-with: Cursor

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Luca Bertelli <bertelli.luca@proton.me>
@banshee86vr
chore(renovate): use renovate-preset
26c8df8 
Made-with: Cursor
@banshee86vr
fix(security): resolve high pnpm audit findings
30c34f6 
Made-with: Cursor
@dependabot
chore(deps-dev): Bump @typescript-eslint/parser from 8.57.2 to 8.58.0 (
721848f 
…#38)

Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 8.57.2 to 8.58.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.58.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-version: 8.58.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@renovate
chore(deps): update dependency @tanstack/react-query to v5.97.0 (#50)
e3decf9 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate
chore(deps): update vitest monorepo to v4.1.4 (#49)
23a8f55 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate
chore(deps): update react monorepo to v19.2.5 (#47)
60acf4a 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate
chore(deps): update dependency postcss to v8.5.9 (#46)
8b2c955 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@dependabot
chore(deps): Bump nodemailer (#51)
6add154 
Bumps the npm_and_yarn group with 1 update in the / directory: [nodemailer](https://github.com/nodemailer/nodemailer).


Updates `nodemailer` from 8.0.4 to 8.0.5
- [Release notes](https://github.com/nodemailer/nodemailer/releases)
- [Changelog](https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md)
- [Commits](nodemailer/nodemailer@v8.0.4...v8.0.5)

---
updated-dependencies:
- dependency-name: nodemailer
  dependency-version: 8.0.5
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore(deps): Bump nginx from 1.29-alpine to 1.29.8-alpine in /docker (#…
cc26876 
…45)

Bumps nginx from 1.29-alpine to 1.29.8-alpine.

---
updated-dependencies:
- dependency-name: nginx
  dependency-version: 1.29.8-alpine
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@renovate
chore(deps): update dependency @types/node to v25.6.0 (#41)
0b11a30 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@banshee86vr
chore: integrate pull request 28
1a0c325 
chore(deps): update dependency express-rate-limit to v8.3.2

Squashed from #28

Made-with: Cursor
@banshee86vr
chore: integrate pull request 32
514a7c0 
chore(deps): update postgres docker tag to v18

Squashed from #32

Made-with: Cursor
@banshee86vr
chore: integrate pull request 33
a89aa62 
chore(deps): update redis docker tag to v8

Squashed from #33

Made-with: Cursor
@banshee86vr
chore: integrate pull request 34
b975998 
chore(deps): update dependency dotenv to v17.4.1

Squashed from #34

Made-with: Cursor
@banshee86vr
chore: integrate pull request 35
5d4b2b5 
chore(deps-dev): Bump typescript-eslint from 8.57.2 to 8.58.0

Squashed from #35

Made-with: Cursor
@banshee86vr
chore: integrate pull request 36
193686d 
chore(deps): Bump express-rate-limit from 8.3.1 to 8.3.2

Squashed from #36

Made-with: Cursor
@banshee86vr
chore: integrate pull request 37
dea4ef5 
Bump @typescript-eslint/eslint-plugin to 8.58.0 (dev).

Squashed from:
#37

Made-with: Cursor
@banshee86vr
feat: Adopt Hashicorp Helios Design system
1bbc4df
@banshee86vr
feat: Enhance UI components with new styles
1594268
@renovate renovate Bot enabled auto-merge (squash) April 29, 2026 07:07
@renovate renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch from 95af4f6 to b02705a Compare April 29, 2026 07:44
@renovate renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch from b02705a to 3b79685 Compare April 29, 2026 09:54
@renovate renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch from 3b79685 to cbf624e Compare April 29, 2026 10:08
auto-merge was automatically disabled April 29, 2026 10:13

Pull request was closed

@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Apr 29, 2026

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (^8.5.8). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate Bot deleted the renovate/npm-postcss-vulnerability branch April 29, 2026 10:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@banshee86vr