postcss: initial integration

[rootvector2]

Initial OSS-Fuzz integration for PostCSS,
the JavaScript-based CSS parser/transformer.

What this adds

A new projects/postcss/ directory with the standard four files:

• project.yaml — language: javascript, libfuzzer, none sanitizer,
  primary_contact: andrey@sitnik.es (PostCSS author/maintainer).

• Dockerfile — FROM gcr.io/oss-fuzz-base/base-builder-javascript,
  shallow-clones https://github.com/postcss/postcss, copies the fuzz target.

• build.sh — installs runtime dependencies with --omit=dev --legacy-peer-deps
  (PostCSS's devDependencies have an unrelated TypeScript peer-dep conflict that
  doesn't affect the library's runtime behavior), then installs @jazzer.js/core
  and runs compile_javascript_fuzzer.

• fuzz_parse.js — single fuzz target that uses FuzzedDataProvider to
  randomize parser options (from, map), then exercises:

  • postcss.parse() with the generated CSS
  • AST walk() and per-node toString() / error() (touches input/source-map
    machinery)
  • parse → toString → re-parse round-trip
  • toJSON() / postcss.fromJSON() round-trip
  • postcss.list.comma / space / split (CSS value list helpers with
    independent quoting/escape logic)

  Only CssSyntaxError is treated as expected; everything else propagates so
  real bugs surface.

Why PostCSS

PostCSS is a high-impact dependency in the JavaScript ecosystem (used by
Tailwind, Autoprefixer, modern CSS Modules, Next.js, Vite, etc.). Any parser or
stringifier bug has a wide blast radius across the front-end build chain.

Local verification

Built and ran via Docker on linux/amd64:

• compile_javascript_fuzzer produces /out/fuzz_parse cleanly.
• 5,000-run smoke: cov 189 → 771, ft 189 → 1414, corpus 106 entries,
  ~5,000 exec/s, no crashes.

[github-actions]

rootvector2 is integrating a new project:
- Main repo: https://github.com/postcss/postcss
- Criticality score: 0.63326

[ai]

LGTM as PostCSS maintainer

[rootvector2]

@DavidKorczynski Could you please help with the final review/merge when you get a moment?

[DavidKorczynski]

Project looks good.

Can we store the fuzzing harness and dictionary in the upstream repository?

[ai]

@rootvector2 you can put them in test/fuzzing of postcss repo

[rootvector2]

@rootvector2 you can put them in test/fuzzing of postcss repo

Sure

[rootvector2]

Project looks good.

Can we store the fuzzing harness and dictionary in the upstream repository?

@DavidKorczynski Done

[rootvector2]

@DavidKorczynski we got LGTM From PostCSS maintainer Can you Review It Please

[DavidKorczynski]

@DavidKorczynski we got LGTM From PostCSS maintainer Can you Review It Please

The CI is failing, can you adjust please

[rootvector2]

@DavidKorczynski we got LGTM From PostCSS maintainer Can you Review It Please

The CI is failing, can you adjust please

Done Now its Green