chore(deps): update dependency postcss to v8.5.10 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
postcss (source)	8.5.6 → 8.5.10

---

PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

CVE-2026-41305 / GHSA-qx2v-qp2m-jg93

More information

Details

PostCSS: XSS via Unescaped </style> in CSS Stringify Output

Summary

PostCSS v8.5.5 (latest) does not escape </style> sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML <style> tags, </style> in CSS values breaks out of the style context, enabling XSS.

Proof of Concept

const postcss = require('postcss');

// Parse user CSS and re-stringify for page embedding
const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }';
const ast = postcss.parse(userCSS);
const output = ast.toResult().css;
const html = `<style>${output}</style>`;

console.log(html);
// <style>body { content: "</style><script>alert(1)</script><style>"; }</style>
//
// Browser: </style> closes the style tag, <script> executes

Tested output (Node.js v22, postcss v8.5.5):

Input: body { content: "</style><script>alert(1)</script><style>"; }
Output: body { content: "</style><script>alert(1)</script><style>"; }
Contains </style>: true

Impact

Impact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website.

Suggested Fix

Escape </style in all stringified output values:

output = output.replace(/<\/(style)/gi, '<\\/$1');

Credits

Discovered and reported by Sunil Kumar (@​TharVid)

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

• https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93
• https://nvd.nist.gov/vuln/detail/CVE-2026-41305
• https://github.com/postcss/postcss/releases/tag/8.5.10
• https://github.com/advisories/GHSA-qx2v-qp2m-jg93

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

postcss/postcss (postcss)

v8.5.10

Compare Source

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

v8.5.9

Compare Source

• Speed up source map encoding paring in case of the error.

v8.5.8

Compare Source

• Fixed Processor#version.

v8.5.7

Compare Source

• Improved source map annotation cleaning performance (by CodeAnt AI).

---

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
shiro	Error		Jun 13, 2026 8:02pm

[safedep]

SafeDep Report Summary

Package Details

Package	Malware	Vulnerability	Risky License	Report
@emnapi/core @ 1.11.0 pnpm-lock.yaml				🔗
@emnapi/runtime @ 1.11.0 pnpm-lock.yaml				🔗
@emnapi/wasi-threads @ 1.2.2 pnpm-lock.yaml				🔗
@haklex/rich-editor @ 0.0.105 pnpm-lock.yaml				🔗
@haklex/rich-kit-shiro @ 0.0.105 pnpm-lock.yaml				🔗
@lexical/clipboard @ 0.42.0 pnpm-lock.yaml				🔗
@lexical/code-core @ 0.42.0 pnpm-lock.yaml				🔗
@lexical/dragon @ 0.42.0 pnpm-lock.yaml				🔗
@lexical/extension @ 0.42.0 pnpm-lock.yaml				🔗
@lexical/headless @ 0.42.0 pnpm-lock.yaml				🔗
@lexical/html @ 0.42.0 pnpm-lock.yaml				🔗
@lexical/link @ 0.42.0 pnpm-lock.yaml				🔗
@lexical/list @ 0.42.0 pnpm-lock.yaml				🔗
@lexical/markdown @ 0.42.0 pnpm-lock.yaml				🔗
@lexical/rich-text @ 0.42.0 pnpm-lock.yaml				🔗
@lexical/selection @ 0.42.0 pnpm-lock.yaml				🔗
@lexical/table @ 0.42.0 pnpm-lock.yaml				🔗
@lexical/text @ 0.42.0 pnpm-lock.yaml				🔗
@lexical/utils @ 0.42.0 pnpm-lock.yaml				🔗
@napi-rs/wasm-runtime @ 1.1.5 pnpm-lock.yaml				🔗
@oxc-project/types @ 0.135.0 pnpm-lock.yaml				🔗
@rolldown/binding-android-arm64 @ 1.1.1 pnpm-lock.yaml				🔗
@rolldown/binding-darwin-arm64 @ 1.1.1 pnpm-lock.yaml				🔗
@rolldown/binding-darwin-x64 @ 1.1.1 pnpm-lock.yaml				🔗
@rolldown/binding-freebsd-x64 @ 1.1.1 pnpm-lock.yaml				🔗
@rolldown/binding-linux-arm-gnueabihf @ 1.1.1 pnpm-lock.yaml				🔗
@rolldown/binding-linux-arm64-gnu @ 1.1.1 pnpm-lock.yaml				🔗
@rolldown/binding-linux-arm64-musl @ 1.1.1 pnpm-lock.yaml				🔗
@rolldown/binding-linux-ppc64-gnu @ 1.1.1 pnpm-lock.yaml				🔗
@rolldown/binding-linux-s390x-gnu @ 1.1.1 pnpm-lock.yaml				🔗
@rolldown/binding-linux-x64-gnu @ 1.1.1 pnpm-lock.yaml				🔗
@rolldown/binding-linux-x64-musl @ 1.1.1 pnpm-lock.yaml				🔗
@rolldown/binding-openharmony-arm64 @ 1.1.1 pnpm-lock.yaml				🔗
@rolldown/binding-wasm32-wasi @ 1.1.1 pnpm-lock.yaml				🔗
@rolldown/binding-win32-arm64-msvc @ 1.1.1 pnpm-lock.yaml				🔗
@rolldown/binding-win32-x64-msvc @ 1.1.1 pnpm-lock.yaml				🔗
@rolldown/pluginutils @ 1.0.1 pnpm-lock.yaml				🔗
@tybys/wasm-util @ 0.10.2 pnpm-lock.yaml				🔗
lexical @ 0.42.0 pnpm-lock.yaml				🔗
lucide-react @ 1.18.0 pnpm-lock.yaml				🔗
postcss @ 8.5.10 apps/web/package.json pnpm-lock.yaml				🔗
rolldown @ 1.1.1 pnpm-lock.yaml				🔗

View complete scan results →

_{This report is generated by SafeDep Github App}