From bf6fc66943e8a3ec2fa3368d20b6c61a4979e46b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 27 Apr 2026 11:32:36 +0800 Subject: [PATCH] chore: bump up postcss version to v8.5.10 [SECURITY] (#14877) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [postcss](https://postcss.org/) ([source](https://redirect.github.com/postcss/postcss)) | [`8.5.6` → `8.5.10`](https://renovatebot.com/diffs/npm/postcss/8.5.6/8.5.10) | ![age](https://developer.mend.io/api/mc/badges/age/npm/postcss/8.5.10?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/postcss/8.5.6/8.5.10?slim=true) | --- ### PostCSS has XSS via Unescaped in its CSS Stringify Output [CVE-2026-41305](https://nvd.nist.gov/vuln/detail/CVE-2026-41305) / [GHSA-qx2v-qp2m-jg93](https://redirect.github.com/advisories/GHSA-qx2v-qp2m-jg93)
More information #### Details ##### PostCSS: XSS via Unescaped `` in CSS Stringify Output ##### Summary PostCSS v8.5.5 (latest) does not escape `` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `` in CSS values breaks out of the style context, enabling XSS. ##### Proof of Concept ```javascript const postcss = require('postcss'); // Parse user CSS and re-stringify for page embedding const userCSS = 'body { content: "`; console.log(html); // // // Browser: closes the style tag, : true ``` ##### Impact Impact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website. ##### Suggested Fix Escape ` --- ### Release Notes
postcss/postcss (postcss) ### [`v8.5.10`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8510) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.9...8.5.10) - Fixed XSS via unescaped `` in non-bundler cases (by [@​TharVid](https://redirect.github.com/TharVid)). ### [`v8.5.9`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#859) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.8...8.5.9) - Speed up source map encoding paring in case of the error. ### [`v8.5.8`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#858) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.7...8.5.8) - Fixed `Processor#version`. ### [`v8.5.7`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#857) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.6...8.5.7) - Improved source map annotation cleaning performance (by CodeAnt AI).
--- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yarn.lock b/yarn.lock index 7aef1eaec8..fe845ed9e1 100644 --- a/yarn.lock +++ b/yarn.lock @@ -30227,13 +30227,13 @@ __metadata: linkType: hard "postcss@npm:^8.4.33, postcss@npm:^8.4.41, postcss@npm:^8.4.49, postcss@npm:^8.5.6": - version: 8.5.6 - resolution: "postcss@npm:8.5.6" + version: 8.5.10 + resolution: "postcss@npm:8.5.10" dependencies: nanoid: "npm:^3.3.11" picocolors: "npm:^1.1.1" source-map-js: "npm:^1.2.1" - checksum: 10/9e4fbe97574091e9736d0e82a591e29aa100a0bf60276a926308f8c57249698935f35c5d2f4e80de778d0cbb8dcffab4f383d85fd50c5649aca421c3df729b86 + checksum: 10/7eac6169e535b63c8412e94d4f6047fc23efa3e9dde804b541940043c831b25f1cd867d83cd2c4371ad2450c8abcb42c208aa25668c1f0f3650d7f72faf711a8 languageName: node linkType: hard