chore(deps): update dependency postcss to v8.4.31 [security]#1910
chore(deps): update dependency postcss to v8.4.31 [security]#1910renovate[bot] wants to merge 1 commit intomainfrom
Conversation
|
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎ To accept the risk, merge this PR and you will not be notified again.
Next stepsWhat is protestware?This package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function. Consider that consuming this package may come along with functionality unrelated to its primary purpose. What is a critical CVE?Contains a Critical Common Vulnerability and Exposure (CVE). Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Take a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with
|
|
renovate
bot
force-pushed
the
renovate/npm-postcss-vulnerability
branch
from
5e68ad9 to
4f067c4
Compare
|
renovate
bot
force-pushed
the
renovate/npm-postcss-vulnerability
branch
from
4f067c4 to
d4a29f5
Compare
|
renovate
bot
force-pushed
the
renovate/npm-postcss-vulnerability
branch
from
d4a29f5 to
2c5be47
Compare
renovate
bot
force-pushed
the
renovate/npm-postcss-vulnerability
branch
from
2c5be47 to
6ca00c1
Compare
renovate
bot
force-pushed
the
renovate/npm-postcss-vulnerability
branch
from
6ca00c1 to
6e83bfa
Compare
renovate
bot
force-pushed
the
renovate/npm-postcss-vulnerability
branch
from
6e83bfa to
76e7425
Compare
renovate
bot
force-pushed
the
renovate/npm-postcss-vulnerability
branch
from
76e7425 to
0b6b0b0
Compare
|
Report too large to display inline |
|
This PR contains the following updates:
8.4.18->8.4.31GitHub Vulnerability Alerts
CVE-2023-44270
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be
\rdiscrepancies, as demonstrated by@font-face{ font:(\r/*);}in a rule.This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
Release Notes
postcss/postcss (postcss)
v8.4.31Compare Source
\rparsing to fix CVE-2023-44270.v8.4.30Compare Source
v8.4.29Compare Source
Node#source.offset(by Ido Rosenthal).v8.4.28Compare Source
Root.source.endfor better source map (by Romain Menke).Result.roottypes whenprocess()has no parser.v8.4.27Compare Source
Containerclone methods types.v8.4.26Compare Source
v8.4.25Compare Source
v8.4.24Compare Source
Plugintypes.v8.4.23Compare Source
v8.4.22Compare Source
node16(by Remco Haszing).v8.4.21Compare Source
Input#errortypes (by Aleks Hudochenkov).v8.4.20Compare Source
@layer.v8.4.19Compare Source
Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.