Update dependency postcss to v8.4.31 [SECURITY]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
postcss (source)	8.4.27 -> 8.4.31

GitHub Vulnerability Alerts

CVE-2023-44270

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.

---

Release Notes

postcss/postcss (postcss)

v8.4.31

Compare Source

• Fixed \r parsing to fix CVE-2023-44270.

v8.4.30

Compare Source

• Improved source map performance (by Romain Menke).

v8.4.29

Compare Source

• Fixed Node#source.offset (by Ido Rosenthal).
• Fixed docs (by Christian Oliff).

v8.4.28

Compare Source

• Fixed Root.source.end for better source map (by Romain Menke).
• Fixed Result.root types when process() has no parser.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[vercel]

Someone is attempting to deploy a commit to a Personal Account owned by @X-oss-byte on Vercel.

@X-oss-byte first needs to authorize it.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 232af48

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[sourcery-ai]

PR Type: Enhancement

PR Summary: This pull request updates the postcss package from version 8.4.27 to 8.4.31. This update addresses a security vulnerability identified as CVE-2023-44270, which affects the parsing of characters in CSS, potentially leading to the inclusion of parts of the CSS intended as comments in the PostCSS output. The update ensures that postcss and all related dependencies within the project are aligned with the patched version, mitigating the risk associated with the vulnerability.

Decision: Comment

📝 Type: 'Enhancement' - not supported yet.

• Sourcery currently only approves 'Typo fix' PRs.

✅ Issue addressed: this change correctly addresses the issue or implements the desired feature.

No details provided.

✅ Small diff: the diff is small enough to approve with confidence.

No details provided.

General suggestions:

• Ensure thorough testing of CSS processing within the application to verify that the update does not introduce any regressions.
• Consider setting up automated dependency update tools, if not already in place, to promptly address future security vulnerabilities.
• Review other dependencies for potential security vulnerabilities and update them as necessary.

Thanks for using Sourcery. We offer it for free for open source projects and would be very grateful if you could help us grow. If you like it, would you consider sharing Sourcery on your favourite social media? ✨

Share Sourcery

• X
• Mastodon
• LinkedIn
• Facebook

---

Help me be more useful! Please click 👍 or 👎 on each comment to tell me if it was helpful.