chore(deps): update tailwindcss monorepo to v4.2.4

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
@tailwindcss/postcss (source)	devDependencies	minor	4.1.18 → 4.2.4
tailwindcss (source)	devDependencies	minor	4.1.18 → 4.2.4

---

Release Notes

tailwindlabs/tailwindcss (@​tailwindcss/postcss)

v4.2.4

Compare Source

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#​19947)

v4.2.3

Compare Source

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#​19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#​19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#​19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#​19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#​19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#​19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#​19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#​19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#​19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#​19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#​19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#​19846)
• Upgrade: never migrate files that are ignored by git (#​19846)
• Add .env and .env.* to default ignored content files (#​19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#​19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#​19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#​19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#​19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#​19858)
• Improve performance when scanning JSONL / NDJSON files (#​19862)
• Support NODE_PATH environment variable in standalone CLI (#​19617)

v4.2.2

Compare Source

Fixed

• Don't crash when candidates contain prototype properties like row-constructor (#​19725)
• Canonicalize calc(var(--spacing)*…) expressions into --spacing(…) (#​19769)
• Fix crash in canonicalization step when handling utilities containing @property at-rules (e.g. shadow-sm border) (#​19727)
• Skip full reload for server only modules scanned by client CSS when using @tailwindcss/vite (#​19745)
• Add support for Vite 8 in @tailwindcss/vite (#​19790)
• Improve canonicalization for bare values exceeding default spacing scale suggestions (e.g. w-1234 h-1234 → size-1234) (#​19809)
• Fix canonicalization resulting in empty list (e.g. w-5 h-5 size-5 → '' instead of size-5) (#​19812)

v4.2.1

Compare Source

Fixed

• Allow trailing dash in functional utility names for backwards compatibility (#​19696)
• Properly detect classes containing . characters within curly braces in MDX files (#​19711)

v4.2.0

Compare Source

Added

• Add mauve, olive, mist, and taupe color palettes to the default theme (#​19627)
• Add @tailwindcss/webpack package to run Tailwind CSS as a webpack plugin (#​19610)
• Add pbs-* and pbe-* utilities for padding-block-start and padding-block-end (#​19601)
• Add mbs-* and mbe-* utilities for margin-block-start and margin-block-end (#​19601)
• Add scroll-pbs-* and scroll-pbe-* utilities for scroll-padding-block-start and scroll-padding-block-end (#​19601)
• Add scroll-mbs-* and scroll-mbe-* utilities for scroll-margin-block-start and scroll-margin-block-end (#​19601)
• Add border-bs-* and border-be-* utilities for border-block-start and border-block-end (#​19601)
• Add inline-*, min-inline-*, max-inline-* utilities for inline-size, min-inline-size, and max-inline-size (#​19612)
• Add block-*, min-block-*, max-block-* utilities for block-size, min-block-size, and max-block-size (#​19612)
• Add inset-s-*, inset-e-*, inset-bs-*, inset-be-* utilities for inset-inline-start, inset-inline-end, inset-block-start, and inset-block-end (#​19613)
• Add font-features-* utility for font-feature-settings (#​19623)

Fixed

• Prevent double @supports wrapper for color-mix values (#​19450)
• Allow whitespace around @source inline() argument (#​19461)
• Emit comment when source maps are saved to files when using @tailwindcss/cli (#​19447)
• Detect utilities containing capital letters followed by numbers (#​19465)
• Fix class extraction for Rails' strict locals (#​19525)
• Align @utility name validation with Oxide scanner rules (#​19524)
• Fix infinite loop when using @variant inside @custom-variant (#​19633)
• Allow multiples of .25 in aspect-* fractions (e.g. aspect-8.5/11) (#​19688)
• Ensure changes to external files listed via @source trigger a full page reload when using @tailwindcss/vite (#​19670)
• Improve performance of Oxide scanner in bigger projects by reducing file system walks (#​19632)
• Ensure import aliases in Astro v5 work without crashing when using @tailwindcss/vite (#​19677)
• Allow escape characters in @utility names to improve support with formatters such as Biome (#​19626)
• Fix incorrect canonicalization results when canonicalizing multiple times (#​19675)
• Add .jj to default ignored content directories (#​19687)

Deprecated

• Deprecate start-* and end-* utilities in favor of inset-s-* and inset-e-* utilities (#​19613)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cubic-dev-ai]

No issues found across 2 files

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​tailwindcss/​postcss@​4.1.18 ⏵ 4.2.4	+1			+1
	tailwindcss@​4.1.18 ⏵ 4.2.4	+1		+17	+3

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: npm lightningcss-android-arm64 under MPL-2.0 License: MPL-2.0 - The applicable license policy does not permit this license (5) (npm metadata) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/package.json) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/LICENSE) From: ? → npm/@tailwindcss/postcss@4.2.4 → npm/lightningcss-android-arm64@1.32.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lightningcss-android-arm64@1.32.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm lightningcss-darwin-arm64 under MPL-2.0 License: MPL-2.0 - The applicable license policy does not permit this license (5) (npm metadata) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/package.json) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/LICENSE) From: ? → npm/@tailwindcss/postcss@4.2.4 → npm/lightningcss-darwin-arm64@1.32.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lightningcss-darwin-arm64@1.32.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm lightningcss-darwin-x64 under MPL-2.0 License: MPL-2.0 - The applicable license policy does not permit this license (5) (npm metadata) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/package.json) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/LICENSE) From: ? → npm/@tailwindcss/postcss@4.2.4 → npm/lightningcss-darwin-x64@1.32.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lightningcss-darwin-x64@1.32.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm lightningcss-freebsd-x64 under MPL-2.0 License: MPL-2.0 - The applicable license policy does not permit this license (5) (npm metadata) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/package.json) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/LICENSE) From: ? → npm/@tailwindcss/postcss@4.2.4 → npm/lightningcss-freebsd-x64@1.32.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lightningcss-freebsd-x64@1.32.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm lightningcss-linux-arm-gnueabihf under MPL-2.0 License: MPL-2.0 - The applicable license policy does not permit this license (5) (npm metadata) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/package.json) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/LICENSE) From: ? → npm/@tailwindcss/postcss@4.2.4 → npm/lightningcss-linux-arm-gnueabihf@1.32.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lightningcss-linux-arm-gnueabihf@1.32.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm lightningcss-linux-arm64-gnu under MPL-2.0 License: MPL-2.0 - The applicable license policy does not permit this license (5) (npm metadata) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/package.json) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/LICENSE) From: ? → npm/@tailwindcss/postcss@4.2.4 → npm/lightningcss-linux-arm64-gnu@1.32.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lightningcss-linux-arm64-gnu@1.32.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm lightningcss-linux-arm64-musl under MPL-2.0 License: MPL-2.0 - The applicable license policy does not permit this license (5) (npm metadata) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/package.json) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/LICENSE) From: ? → npm/@tailwindcss/postcss@4.2.4 → npm/lightningcss-linux-arm64-musl@1.32.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lightningcss-linux-arm64-musl@1.32.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm lightningcss-linux-x64-gnu under MPL-2.0 License: MPL-2.0 - The applicable license policy does not permit this license (5) (npm metadata) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/package.json) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/LICENSE) From: ? → npm/@tailwindcss/postcss@4.2.4 → npm/lightningcss-linux-x64-gnu@1.32.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lightningcss-linux-x64-gnu@1.32.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm lightningcss-linux-x64-musl under MPL-2.0 License: MPL-2.0 - The applicable license policy does not permit this license (5) (npm metadata) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/package.json) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/LICENSE) From: ? → npm/@tailwindcss/postcss@4.2.4 → npm/lightningcss-linux-x64-musl@1.32.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lightningcss-linux-x64-musl@1.32.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm lightningcss-win32-arm64-msvc under MPL-2.0 License: MPL-2.0 - The applicable license policy does not permit this license (5) (npm metadata) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/package.json) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/LICENSE) From: ? → npm/@tailwindcss/postcss@4.2.4 → npm/lightningcss-win32-arm64-msvc@1.32.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lightningcss-win32-arm64-msvc@1.32.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm lightningcss-win32-x64-msvc under MPL-2.0 License: MPL-2.0 - The applicable license policy does not permit this license (5) (npm metadata) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/package.json) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/LICENSE) From: ? → npm/@tailwindcss/postcss@4.2.4 → npm/lightningcss-win32-x64-msvc@1.32.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lightningcss-win32-x64-msvc@1.32.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm lightningcss under MPL-2.0 License: MPL-2.0 - The applicable license policy does not permit this license (5) (npm metadata) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/package.json) License: MPL-2.0 - The applicable license policy does not permit this license (5) (package/LICENSE) From: ? → npm/@tailwindcss/postcss@4.2.4 → npm/lightningcss@1.32.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lightningcss@1.32.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report