chore(deps): update dependency postcss to v8.4.31 [security] #33

Open

renovate[bot] wants to merge 1 commits from renovate/npm-postcss-vulnerability into develop

pull from: renovate/npm-postcss-vulnerability

merge into: sphericalkat:develop

sphericalkat:develop

sphericalkat:renovate/rustler-0.x

sphericalkat:renovate/autoprefixer-10.x-lockfile

sphericalkat:renovate/esbuild-0.x

sphericalkat:renovate/gettext-0.x

sphericalkat:renovate/phoenix_live_view-0.x

sphericalkat:renovate/phoenix_live_dashboard-0.x

sphericalkat:renovate/fs-extra-11.x

sphericalkat:renovate/bcrypt_elixir-3.x

sphericalkat:renovate/phoenix-1.x

sphericalkat:renovate/esbuild-plugin-postcss2-0.x

sphericalkat:feat/custom-paste

sphericalkat:master

Conversation 0 Commits 1 Files Changed 1 +6 -6

renovate[bot] commented 2023-10-07 22:00:53 +00:00 (Migrated from github.com)

Copy Link

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
postcss (source)	8.4.24 -> 8.4.31

GitHub Vulnerability Alerts

CVE-2023-44270

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.

---

Release Notes

postcss/postcss (postcss)

v8.4.31

Compare Source

• Fixed \r parsing to fix CVE-2023-44270.

v8.4.30

Compare Source

• Improved source map performance (by Romain Menke).

v8.4.29

Compare Source

• Fixed Node#source.offset (by Ido Rosenthal).
• Fixed docs (by Christian Oliff).

v8.4.28

Compare Source

• Fixed Root.source.end for better source map (by Romain Menke).
• Fixed Result.root types when process() has no parser.

v8.4.27

Compare Source

• Fixed Container clone methods types.

v8.4.26

Compare Source

• Fixed clone methods types.

v8.4.25

Compare Source

• Improve stringify performance (by Romain Menke).
• Fixed docs (by @​vikaskaliramna07).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [postcss](https://postcss.org/) ([source](https://togithub.com/postcss/postcss)) | [`8.4.24` -> `8.4.31`](https://renovatebot.com/diffs/npm/postcss/8.4.24/8.4.31) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2023-44270](https://nvd.nist.gov/vuln/detail/CVE-2023-44270) An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\r` discrepancies, as demonstrated by `@font-face{ font:(\r/*);}` in a rule. This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment. --- ### Release Notes <details> <summary>postcss/postcss (postcss)</summary> ### [`v8.4.31`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8431) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.30...8.4.31) - Fixed `\r` parsing to fix CVE-2023-44270. ### [`v8.4.30`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8430) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.29...8.4.30) - Improved source map performance (by Romain Menke). ### [`v8.4.29`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8429) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.28...8.4.29) - Fixed `Node#source.offset` (by Ido Rosenthal). - Fixed docs (by Christian Oliff). ### [`v8.4.28`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8428) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.27...8.4.28) - Fixed `Root.source.end` for better source map (by Romain Menke). - Fixed `Result.root` types when `process()` has no parser. ### [`v8.4.27`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8427) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.26...8.4.27) - Fixed `Container` clone methods types. ### [`v8.4.26`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8426) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.25...8.4.26) - Fixed clone methods types. ### [`v8.4.25`](https://togithub.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8425) [Compare Source](https://togithub.com/postcss/postcss/compare/8.4.24...8.4.25) - Improve stringify performance (by Romain Menke). - Fixed docs (by [@&#8203;vikaskaliramna07](https://togithub.com/vikaskaliramna07)). </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/SphericalKat/katbin). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4wLjMiLCJ1cGRhdGVkSW5WZXIiOiIzNy44MS4zIiwidGFyZ2V0QnJhbmNoIjoiZGV2ZWxvcCJ9-->

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions.

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/npm-postcss-vulnerability:renovate/npm-postcss-vulnerability

git checkout renovate/npm-postcss-vulnerability

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

Hacktoberfest

  

PR: draft

  

PR: merged

  

PR: partially-approved

  

PR: reviewed-approved

  

PR: reviewed-changes-requested

  

PR: unreviewed

  

bug

Something isn't working

  

dependencies

Pull requests that update a dependency file

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

question

Further information is requested

  

wontfix

This will not be worked on

No Label

Hacktoberfest

PR: draft

PR: merged

PR: partially-approved

PR: reviewed-approved

PR: reviewed-changes-requested

PR: unreviewed

bug

dependencies

documentation

duplicate

enhancement

good first issue

help wanted

invalid

question

wontfix

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sphericalkat/katbin#33

No description provided.