Skip to content

chore(deps): update dependency postcss to v8.5.10 [security]#31

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-postcss-vulnerability
Open

chore(deps): update dependency postcss to v8.5.10 [security]#31
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-postcss-vulnerability

Conversation

@renovate

@renovate renovate Bot commented May 15, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
postcss (source) 8.4.498.5.10 age confidence

PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

CVE-2026-41305 / GHSA-qx2v-qp2m-jg93

More information

Details

PostCSS: XSS via Unescaped </style> in CSS Stringify Output
Summary

PostCSS v8.5.5 (latest) does not escape </style> sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML <style> tags, </style> in CSS values breaks out of the style context, enabling XSS.

Proof of Concept
const postcss = require('postcss');

// Parse user CSS and re-stringify for page embedding
const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }';
const ast = postcss.parse(userCSS);
const output = ast.toResult().css;
const html = `<style>${output}</style>`;

console.log(html);
// <style>body { content: "</style><script>alert(1)</script><style>"; }</style>
//
// Browser: </style> closes the style tag, <script> executes

Tested output (Node.js v22, postcss v8.5.5):

Input: body { content: "</style><script>alert(1)</script><style>"; }
Output: body { content: "</style><script>alert(1)</script><style>"; }
Contains </style>: true
Impact

Impact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website.

Suggested Fix

Escape </style in all stringified output values:

output = output.replace(/<\/(style)/gi, '<\\/$1');
Credits

Discovered and reported by Sunil Kumar (@​TharVid)

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

postcss/postcss (postcss)

v8.5.10

Compare Source

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

v8.5.9

Compare Source

  • Speed up source map encoding paring in case of the error.

v8.5.8

Compare Source

  • Fixed Processor#version.

v8.5.7

Compare Source

  • Improved source map annotation cleaning performance (by CodeAnt AI).

v8.5.6

Compare Source

  • Fixed ContainerWithChildren type discriminating (by @​Goodwine).

v8.5.5

Compare Source

  • Fixed package.jsonexports compatibility with some tools (by @​JounQin).

v8.5.4

Compare Source

v8.5.3

Compare Source

v8.5.2

Compare Source

v8.5.1

Compare Source

v8.5.0: 8.5 “Duke Alloces”

Compare Source

President Alloces seal

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@​romainmenke during his work on Stylelint added Input#document in additional to Input#css.

root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"

Thanks to Sponsors

This release was possible thanks to our community.

If your company wants to support the sustainability of front-end infrastructure or wants to give some love to PostCSS, you can join our supporters by:


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate using a curated preset maintained by Sanity. View repository job log here

@renovate renovate Bot added the 📦 deps label May 15, 2026
@vercel

vercel Bot commented May 15, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
concurrent-styled-components Error Error May 15, 2026 6:40pm

Request Review

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedbabel-plugin-react-compiler@​19.0.0-beta-af1b7da-202504171001007397100
Addedpostcss@​8.5.10991008292100
Addedeslint-plugin-react-compiler@​19.0.0-beta-af1b7da-202504171001009293100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants