Skip to content

Bump postcss from 8.5.6 to 8.5.15#2033

Open
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/postcss-8.5.12
Open

Bump postcss from 8.5.6 to 8.5.15#2033
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/postcss-8.5.12

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 27, 2026

Copy link
Copy Markdown
Contributor

Bumps postcss from 8.5.6 to 8.5.15.

Release notes

Sourced from postcss's releases.

8.5.15

  • Fixed declaration parsing performance (by @​homanp).

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).
Changelog

Sourced from postcss's changelog.

8.5.15

  • Fixed declaration parsing performance (by @​homanp).

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).
Commits
  • eae46db Release 8.5.15 version
  • 79508ff Update CI actions
  • b128e21 Speed up declaration parsing by avoiding creating new array on each token
  • 9825dca Fix code format
  • 55789c8 Update dependencies
  • 84fbbe9 Install older pnpm action for old Node.js
  • 9f860bd Revert pnpm action for old Node.js
  • 0877198 Update CI actions
  • b2d1a33 Fix linter warnings
  • 0700dac Merge pull request #2088 from rootvector2/add-oss-fuzz-harness
  • Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Apr 27, 2026
@dependabot dependabot Bot changed the title Bump postcss from 8.5.6 to 8.5.12 Bump postcss from 8.5.6 to 8.5.15 May 22, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/postcss-8.5.12 branch from 57fd61b to 0caebfa Compare May 22, 2026 10:20
Bumps [postcss](https://github.com/postcss/postcss) from 8.5.6 to 8.5.15.
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.6...8.5.15)

---
updated-dependencies:
- dependency-name: postcss
  dependency-version: 8.5.12
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/postcss-8.5.12 branch from 0caebfa to 7e06372 Compare May 25, 2026 09:38

@namrata111f namrata111f left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Summary - PR #2033

Approval Status: ✅ APPROVED

Change Overview

  • Type: Security patch update
  • Package: postcss 8.5.6 → 8.5.15
  • Impact: package-lock.json only (7 additions, 7 deletions)

Security Review

Security Fix (8.5.10): XSS via unescaped </style> in non-bundler cases

  • Critical for preventing XSS attacks
  • Properly escapes style tags in output

Security Fix (8.5.12): Fixed reading any file via user-generated CSS

  • Adds opts.unsafeMap to disable checks
  • Prevents arbitrary file reads

Code Quality Review

Performance Improvements:

  • Fixed declaration parsing performance (8.5.15)
  • Fixed nested brackets parsing performance (8.5.11)
  • Improved source map annotation cleaning performance (8.5.7)
  • Faster source map encoding parsing for errors (8.5.9)

Bug Fixes:

  • Fixed custom syntax regression (8.5.14)
  • Fixed postcss-scss comment regression (8.5.13)
  • Fixed Processor#version (8.5.8)

Risk Assessment

  • Risk Level: LOW (upgrade) / HIGH (if not upgraded - XSS vulnerability)
  • Testing Required: Existing PostCSS tests should validate
  • Recommendation: Safe to merge after CI passes

Test Coverage Review

  • No new tests needed (dependency update)
  • Existing PostCSS usage validated by current test suite

Note: This PR has been open for over 30 days (automatic rebases disabled). Consider merging soon to stay current with security fixes.

Recommendation: This fixes critical XSS and file read vulnerabilities plus performance issues. Approve and merge after CI passes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant