chore(deps): update dependency postcss to v8.5.10 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
postcss (source)	8.5.1 → 8.5.10

---

PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

CVE-2026-41305 / GHSA-qx2v-qp2m-jg93

More information

Details

PostCSS: XSS via Unescaped </style> in CSS Stringify Output

Summary

PostCSS v8.5.5 (latest) does not escape </style> sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML <style> tags, </style> in CSS values breaks out of the style context, enabling XSS.

Proof of Concept

const postcss = require('postcss');

// Parse user CSS and re-stringify for page embedding
const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }';
const ast = postcss.parse(userCSS);
const output = ast.toResult().css;
const html = `<style>${output}</style>`;

console.log(html);
// <style>body { content: "</style><script>alert(1)</script><style>"; }</style>
//
// Browser: </style> closes the style tag, <script> executes

Tested output (Node.js v22, postcss v8.5.5):

Input: body { content: "</style><script>alert(1)</script><style>"; }
Output: body { content: "</style><script>alert(1)</script><style>"; }
Contains </style>: true

Impact

Impact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website.

Suggested Fix

Escape </style in all stringified output values:

output = output.replace(/<\/(style)/gi, '<\\/$1');

Credits

Discovered and reported by Sunil Kumar (@​TharVid)

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

• https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93
• https://nvd.nist.gov/vuln/detail/CVE-2026-41305
• https://github.com/postcss/postcss/releases/tag/8.5.10
• https://github.com/advisories/GHSA-qx2v-qp2m-jg93

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

postcss/postcss (postcss)

v8.5.10

Compare Source

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

v8.5.9

Compare Source

• Speed up source map encoding paring in case of the error.

v8.5.8

Compare Source

• Fixed Processor#version.

v8.5.7

Compare Source

• Improved source map annotation cleaning performance (by CodeAnt AI).

v8.5.6

Compare Source

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

v8.5.5

Compare Source

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

v8.5.4

Compare Source

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

v8.5.3

Compare Source

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

v8.5.2

Compare Source

• Fixed end position of rules with semicolon (by @​romainmenke).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for brilliant-pasca-3e80ec canceled.

Name	Link
🔨 Latest commit	1a9e8e0
🔍 Latest deploy log	https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/69ffc794a2369e0008d972df

[github-actions]

🚀 Performance Test Results

Test Configuration:

• VUs: 4
• Duration: 1m0s

Test Metrics:

• Requests/s: 51.62
• Iterations/s: 17.20
• Failed Requests: 0.00% (0 of 3106)

📜 Logs

> performance@1.0.0 run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test -k -q --vus 4 --duration 1m

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 1.1 MB 19 kB/s
     data_sent......................: 2.4 MB 40 kB/s
     http_req_blocked...............: avg=6.16µs   min=2.32µs   med=5.02µs   max=412.42µs p(90)=6.28µs   p(95)=6.87µs  
     http_req_connecting............: avg=356ns    min=0s       med=0s       max=357.17µs p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=76.9ms   min=8.08ms   med=61.89ms  max=416.37ms p(90)=129.25ms p(95)=152.74ms
       { expected_response:true }...: avg=76.9ms   min=8.08ms   med=61.89ms  max=416.37ms p(90)=129.25ms p(95)=152.74ms
     http_req_failed................: 0.00%  ✓ 0         ✗ 3106
     http_req_receiving.............: avg=79.53µs  min=27.02µs  med=71.07µs  max=1.09ms   p(90)=105.22µs p(95)=131.92µs
     http_req_sending...............: avg=33.01µs  min=10.05µs  med=26.77µs  max=1.72ms   p(90)=39.45µs  p(95)=54.66µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=76.79ms  min=7.91ms   med=61.79ms  max=416.26ms p(90)=129.15ms p(95)=152.62ms
     http_reqs......................: 3106   51.624969/s
     iteration_duration.............: avg=232.34ms min=156.15ms med=220.74ms max=899.19ms p(90)=291.89ms p(95)=324.25ms
     iterations.....................: 1035   17.202783/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4 

[mkurapov]

@dependabot rebase