Update dependency postcss to v8.4.31 [SECURITY]#986

Open

renovate[bot] wants to merge 1 commit intomasterfrom

renovate/npm-postcss-vulnerability

Contributor

renovate bot commented Aug 6, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
postcss (source)	`8.4.4` → `8.4.31`

GitHub Vulnerability Alerts

CVE-2023-44270

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.

Release Notes

postcss/postcss (postcss)

`v8.4.31`

Fixed \r parsing to fix CVE-2023-44270.

`v8.4.30`

Improved source map performance (by Romain Menke).

`v8.4.29`

Fixed Node#source.offset (by Ido Rosenthal).
Fixed docs (by Christian Oliff).

`v8.4.28`

Fixed Root.source.end for better source map (by Romain Menke).
Fixed Result.root types when process() has no parser.

`v8.4.27`

Fixed Container clone methods types.

`v8.4.26`

Fixed clone methods types.

`v8.4.25`

Improve stringify performance (by Romain Menke).
Fixed docs (by @vikaskaliramna07).

`v8.4.24`

Fixed Plugin types.

`v8.4.23`

Fixed warnings in TypeDoc.

`v8.4.22`

Fixed TypeScript support with node16 (by Remco Haszing).

`v8.4.21`

Fixed Input#error types (by Aleks Hudochenkov).

`v8.4.20`

Fixed source map generation for childless at-rules like @layer.

`v8.4.19`

Fixed whitespace preserving after AST transformations (by Romain Menke).

`v8.4.18`

Fixed an error on absolute: true with empty sourceContent (by Rene Haas).

`v8.4.17`

Fixed Node.before() unexpected behavior (by Romain Menke).
Added TOC to docs (by Mikhail Dedov).

`v8.4.16`

Fixed Root AST migration.

`v8.4.15`

Fixed AST normalization after using custom parser with old PostCSS AST.

`v8.4.14`

Print “old plugin API” warning only if plugin was used (by @zardoy).

`v8.4.13`

Fixed append() error after using .parent (by Jordan Pittman).

`v8.4.12`

Fixed package.funding to have same value between all PostCSS packages.

`v8.4.11`

Fixed Declaration#raws.value type.

`v8.4.10`

Fixed package.funding URL format.

`v8.4.9`

Fixed package.funding (by Álvaro Mondéjar).

`v8.4.8`

Fixed end position in empty Custom Properties.

`v8.4.7`

Fixed Node#warn() type (by Masafumi Koba).
Fixed comment removal in values after ,.

`v8.4.6`

Prevented comment removing when it change meaning of CSS.
Fixed parsing space in last semicolon-less CSS Custom Properties.
Fixed comment cleaning in CSS Custom Properties with space.
Fixed throwing an error on .root access for plugin-less case.

`v8.4.5`

Fixed raws types to make object extendable (by James Garbutt).
Moved from Yarn 1 to pnpm.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot force-pushed the renovate/npm-postcss-vulnerability branch from e28086f to 9bdc317 Compare

October 16, 2024 17:38

renovate bot force-pushed the renovate/npm-postcss-vulnerability branch from 9bdc317 to 09f67af Compare

August 10, 2025 12:39

renovate bot changed the title ~~Update dependency postcss to v8.4.31 [SECURITY]~~ Update dependency postcss to v8.4.31 [SECURITY] - autoclosed

renovate bot closed this

renovate bot deleted the renovate/npm-postcss-vulnerability branch

January 30, 2026 01:31


          Update dependency postcss to v8.4.31 [SECURITY]

5523dd2

renovate bot changed the title ~~Update dependency postcss to v8.4.31 [SECURITY] - autoclosed~~ Update dependency postcss to v8.4.31 [SECURITY]

renovate bot reopened this

renovate bot force-pushed the renovate/npm-postcss-vulnerability branch from 09f67af to 5523dd2 Compare

February 2, 2026 19:51

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet