developStorm
Update dependency postcss to v8.4.31 [SECURITY]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| postcss (source) | 8.4.8 -> 8.4.31 |
GitHub Vulnerability Alerts
CVE-2023-44270
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
Release Notes
postcss/postcss (postcss)
v8.4.31
- Fixed
\rparsing to fix CVE-2023-44270.
v8.4.30
- Improved source map performance (by Romain Menke).
v8.4.29
- Fixed
Node#source.offset(by Ido Rosenthal). - Fixed docs (by Christian Oliff).
v8.4.28
- Fixed
Root.source.endfor better source map (by Romain Menke). - Fixed
Result.roottypes whenprocess()has no parser.
v8.4.27
- Fixed
Containerclone methods types.
v8.4.26
- Fixed clone methods types.
v8.4.25
- Improve stringify performance (by Romain Menke).
- Fixed docs (by @vikaskaliramna07).
v8.4.24
- Fixed
Plugintypes.
v8.4.23
- Fixed warnings in TypeDoc.
v8.4.22
- Fixed TypeScript support with
node16(by Remco Haszing).
v8.4.21
- Fixed
Input#errortypes (by Aleks Hudochenkov).
v8.4.20
- Fixed source map generation for childless at-rules like
@layer.
v8.4.19
- Fixed whitespace preserving after AST transformations (by Romain Menke).
v8.4.18
- Fixed an error on
absolute: truewith emptysourceContent(by Rene Haas).
v8.4.17
- Fixed
Node.before()unexpected behavior (by Romain Menke). - Added TOC to docs (by Mikhail Dedov).
v8.4.16
- Fixed
RootAST migration.
v8.4.15
- Fixed AST normalization after using custom parser with old PostCSS AST.
v8.4.14
- Print “old plugin API” warning only if plugin was used (by @zardoy).
v8.4.13
- Fixed
append()error after using.parent(by Jordan Pittman).
v8.4.12
- Fixed
package.fundingto have same value between all PostCSS packages.
v8.4.11
- Fixed
Declaration#raws.valuetype.
v8.4.10
- Fixed
package.fundingURL format.
v8.4.9
- Fixed
package.funding(by Álvaro Mondéjar).
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
Deploying with 
Cloudflare Pages
| Latest commit: |
37b7b22
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://41379c3e.badges.pages.dev |
| Branch Preview URL: | https://renovate-npm-postcss-vulnera.badges.pages.dev |
![cloudflare-workers-and-pages[bot] avatar](https://avatars.githubusercontent.com/in/85455?v=4 "Published by a pub.dev verified publisher"){kind=small}
Renovate Ignore Notification
Because you closed this PR without merging, Renovate will ignore this update (8.4.31). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.