Commit de68c95
committed
chore(deps): bump postcss to >=8.5.10 (GHSA-qx2v-qp2m-jg93)
Transitive dev-scope dependency pulled in via vite@7.3.2. The pre-8.5.10
line does not escape `</style>` in stringify output; a malicious
PostCSS plugin could inject XSS when output is embedded in HTML
<style> tags. Upstream advisory:
GHSA-qx2v-qp2m-jg93
- CVE-2026-41305 / CVSS v3.1 6.1 (medium).
- First patched: 8.5.10.
- socket-cli does not use PostCSS at runtime, but Dependabot flags
the lockfile presence so we pin the floor anyway — same discipline
as the existing defu / glob / qs overrides.
Fix: add `postcss: '>=8.5.10'` to the pnpm-workspace overrides
block. Regenerated pnpm-lock.yaml reflects postcss@8.5.10.
Fixes https://github.com/SocketDev/socket-cli/security/dependabot/1341 parent 5c6b1b3 commit de68c95
2 files changed
Lines changed: 6 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
196 | 196 | | |
197 | 197 | | |
198 | 198 | | |
| 199 | + | |
199 | 200 | | |
200 | 201 | | |
201 | 202 | | |
| |||
0 commit comments