security(deps-tree): update postcss
to v8.4.31 [security]
#235
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
8.4.5
->8.4.31
GitHub Vulnerability Alerts
CVE-2021-23368
The npm package
postcss
from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.CVE-2021-23382
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
PoC
CVE-2023-44270
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be
\r
discrepancies, as demonstrated by@font-face{ font:(\r/*);}
in a rule.This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
Release Notes
postcss/postcss (postcss)
v8.4.31
Compare Source
\r
parsing to fix CVE-2023-44270.v8.4.30
Compare Source
v8.4.29
Compare Source
Node#source.offset
(by Ido Rosenthal).v8.4.28
Compare Source
Root.source.end
for better source map (by Romain Menke).Result.root
types whenprocess()
has no parser.v8.4.27
Compare Source
Container
clone methods types.v8.4.26
Compare Source
v8.4.25
Compare Source
v8.4.24
Compare Source
Plugin
types.v8.4.23
Compare Source
v8.4.22
Compare Source
node16
(by Remco Haszing).v8.4.21
Compare Source
Input#error
types (by Aleks Hudochenkov).v8.4.20
Compare Source
@layer
.v8.4.19
Compare Source
v8.4.18
Compare Source
absolute: true
with emptysourceContent
(by Rene Haas).v8.4.17
Compare Source
Node.before()
unexpected behavior (by Romain Menke).v8.4.16
Compare Source
Root
AST migration.v8.4.15
Compare Source
v8.4.14
Compare Source
v8.4.13
Compare Source
append()
error after using.parent
(by Jordan Pittman).v8.4.12
Compare Source
package.funding
to have same value between all PostCSS packages.v8.4.11
Compare Source
Declaration#raws.value
type.v8.4.10
Compare Source
package.funding
URL format.v8.4.9
Compare Source
package.funding
(by Álvaro Mondéjar).v8.4.8
Compare Source
v8.4.7
Compare Source
Node#warn()
type (by Masafumi Koba).,
.v8.4.6
Compare Source
.root
access for plugin-less case.Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.