Update dependency postcss to v8.5.10 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
postcss (source)	8.5.6 → 8.5.10

---

PostCSS line return parsing error

CVE-2023-44270 / GHSA-7fh5-64p2-3v2j

More information

Details

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-44270
• https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5
• https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25
• https://github.com/postcss/postcss/releases/tag/8.4.31
• https://github.com/github/advisory-database/issues/2820
• https://lists.debian.org/debian-lts-announce/2024/12/msg00025.html
• https://github.com/advisories/GHSA-7fh5-64p2-3v2j

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

CVE-2026-41305 / GHSA-qx2v-qp2m-jg93

More information

Details

PostCSS: XSS via Unescaped </style> in CSS Stringify Output

Summary

PostCSS v8.5.5 (latest) does not escape </style> sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML <style> tags, </style> in CSS values breaks out of the style context, enabling XSS.

Proof of Concept

const postcss = require('postcss');

// Parse user CSS and re-stringify for page embedding
const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }';
const ast = postcss.parse(userCSS);
const output = ast.toResult().css;
const html = `<style>${output}</style>`;

console.log(html);
// <style>body { content: "</style><script>alert(1)</script><style>"; }</style>
//
// Browser: </style> closes the style tag, <script> executes

Tested output (Node.js v22, postcss v8.5.5):

Input: body { content: "</style><script>alert(1)</script><style>"; }
Output: body { content: "</style><script>alert(1)</script><style>"; }
Contains </style>: true

Impact

Impact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website.

Suggested Fix

Escape </style in all stringified output values:

output = output.replace(/<\/(style)/gi, '<\\/$1');

Credits

Discovered and reported by Sunil Kumar (@​TharVid)

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

• https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93
• https://nvd.nist.gov/vuln/detail/CVE-2026-41305
• https://github.com/postcss/postcss/releases/tag/8.5.10
• https://github.com/advisories/GHSA-qx2v-qp2m-jg93

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

postcss/postcss (postcss)

v8.5.10

Compare Source

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

v8.5.9

Compare Source

• Speed up source map encoding paring in case of the error.

v8.5.8

Compare Source

• Fixed Processor#version.

v8.5.7

Compare Source

• Improved source map annotation cleaning performance (by CodeAnt AI).

---

Configuration

📅 Schedule: (in timezone Etc/UTC)

• Branch creation
  • ""
• Automerge
  • Only on Sunday and Saturday (* * * * 0,6)
  • Between 12:00 AM and 12:59 PM, only on Monday (* 0-12 * * 1)
  • Between 10:00 PM and 11:59 PM, Monday through Friday (* 22-23 * * 1-5)
  • Between 12:00 AM and 04:59 AM, Tuesday through Saturday (* 0-4 * * 2-6)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

<--- Last few GCs --->

[955:0x3ff81000]    85268 ms: Scavenge 1006.1 (1020.5) -> 1006.0 (1024.5) MB, pooled: 0 MB, 1.60 / 0.00 ms  (average mu = 0.736, current mu = 0.818) allocation failure; 
[955:0x3ff81000]    86752 ms: Mark-Compact (reduce) 1027.4 (1045.4) -> 1027.1 (1038.4) MB, pooled: 0 MB, 1118.86 / 0.00 ms  (+ 116.9 ms in 6 steps since start of marking, biggest step 19.8 ms, walltime since start of marking 1484 ms) (average mu = 0.561, 
FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory
----- Native stack trace -----

 1: 0x73f8c4 node::OOMErrorHandler(char const*, v8::OOMDetails const&) [/opt/containerbase/tools/node/24.15.0/bin/node]
 2: 0xc06f90  [/opt/containerbase/tools/node/24.15.0/bin/node]
 3: 0xc0707f  [/opt/containerbase/tools/node/24.15.0/bin/node]
 4: 0xeaa885  [/opt/containerbase/tools/node/24.15.0/bin/node]
 5: 0xebc1ec  [/opt/containerbase/tools/node/24.15.0/bin/node]
 6: 0xe916a3  [/opt/containerbase/tools/node/24.15.0/bin/node]
 7: 0xe667f4  [/opt/containerbase/tools/node/24.15.0/bin/node]
 8: 0xe4e072  [/opt/containerbase/tools/node/24.15.0/bin/node]
 9: 0xe6fe5f  [/opt/containerbase/tools/node/24.15.0/bin/node]
10: 0x12373b9  [/opt/containerbase/tools/node/24.15.0/bin/node]
11: 0x11c5c10  [/opt/containerbase/tools/node/24.15.0/bin/node]
12: 0x11c73bb  [/opt/containerbase/tools/node/24.15.0/bin/node]
13: 0x11c7b7d  [/opt/containerbase/tools/node/24.15.0/bin/node]
14: 0x11c7d14  [/opt/containerbase/tools/node/24.15.0/bin/node]
15: 0x11ca695  [/opt/containerbase/tools/node/24.15.0/bin/node]
16: 0x11b7dc6  [/opt/containerbase/tools/node/24.15.0/bin/node]
17: 0x11d3506  [/opt/containerbase/tools/node/24.15.0/bin/node]
18: 0x13692f6  [/opt/containerbase/tools/node/24.15.0/bin/node]
19: 0x1a689b6  [/opt/containerbase/tools/node/24.15.0/bin/node]
/usr/local/bin/node: line 18:   955 Aborted                 /opt/containerbase/tools/node/24.15.0/bin/node "$@"