Skip to content

chore(deps-dev): bump postcss from 8.5.8 to 8.5.14#7896

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/postcss-8.5.13
Open

chore(deps-dev): bump postcss from 8.5.8 to 8.5.14#7896
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/postcss-8.5.13

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 2, 2026
edited
Loading

Bumps postcss from 8.5.8 to 8.5.14.

Release notes

Sourced from postcss's releases.

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.
Changelog

Sourced from postcss's changelog.

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.
Commits
  • 3ec1394 Release 8.5.14 version
  • f2bb827 Update dependencies
  • d75953d Merge pull request #2084 from 43081j/raw-raws-rawing
  • 68bd213 fix: always call raw to retrieve raw values
  • af58cf1 Release 8.5.13 version
  • f227dbd Temporary ignore pnpm 11 config
  • d3abd40 Update dependencies
  • dd06c3e Revert stringifier changes because of the conflict with postcss-scss
  • ae889c8 Try to fix CI
  • e0093e4 Move to pnpm 11
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 2, 2026
@monkeytypegeorge monkeytypegeorge added the frontend User interface or web stuff label May 2, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 2, 2026

Continuous integration check(s) failed. Please review the failing check's logs and make the necessary changes.

@github-actions github-actions Bot added waiting for update Pull requests or issues that require changes/comments before continuing and removed waiting for update Pull requests or issues that require changes/comments before continuing labels May 2, 2026
@dependabot dependabot Bot changed the title chore(deps-dev): bump postcss from 8.5.8 to 8.5.13 chore(deps-dev): bump postcss from 8.5.8 to 8.5.14 May 5, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/postcss-8.5.13 branch from c5ec676 to bfdadc8 Compare May 5, 2026 07:28
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 5, 2026

Continuous integration check(s) failed. Please review the failing check's logs and make the necessary changes.

@github-actions github-actions Bot added waiting for update Pull requests or issues that require changes/comments before continuing and removed waiting for update Pull requests or issues that require changes/comments before continuing labels May 5, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/postcss-8.5.13 branch from bfdadc8 to 2e1e615 Compare May 5, 2026 07:31
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 5, 2026

Continuous integration check(s) failed. Please review the failing check's logs and make the necessary changes.

@github-actions github-actions Bot added the waiting for update Pull requests or issues that require changes/comments before continuing label May 5, 2026
@github-actions github-actions Bot removed the waiting for update Pull requests or issues that require changes/comments before continuing label May 12, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 12, 2026

Dependabot can't authenticate to a private package registry. Because of this, Dependabot cannot update this pull request.

@dependabot
chore(deps-dev): bump postcss from 8.5.8 to 8.5.14
4b5263e 
Bumps [postcss](https://github.com/postcss/postcss) from 8.5.8 to 8.5.14.
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.8...8.5.14)

---
updated-dependencies:
- dependency-name: postcss
  dependency-version: 8.5.13
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/postcss-8.5.13 branch from 2e1e615 to 4b5263e Compare May 13, 2026 08:18
@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 13, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​types/​mjml@​4.7.41001005785100
Added@​types/​damerau-levenshtein@​1.0.0951006179100
Added@​types/​subset-font@​1.4.3671007382100
Added@​types/​readline-sync@​1.4.81001007080100
Added@​tanstack/​solid-hotkeys-devtools@​0.6.6701009999100
Added@​tanstack/​solid-query-devtools@​5.100.38310070100100
Added@​types/​throttle-debounce@​5.0.21001007080100
Added@​tanstack/​solid-db@​0.2.197710071100100
Added@​types/​swagger-stats@​0.95.11851007176100
Added@​types/​express@​5.0.31001007185100
Added@​types/​object-hash@​3.0.61001007180100
Added@​types/​cron@​1.7.31001007180100
Added@​types/​supertest@​6.0.31001007181100
Added@​types/​ua-parser-js@​0.7.361001007180100
Added@​types/​canvas-confetti@​1.4.31001007280100
Added@​types/​bcrypt@​5.0.21001007281100
Added@​sentry/​browser@​10.44.0721009196100
Added@​tanstack/​solid-table@​8.21.3921007398100
Added@​types/​howler@​2.2.71001007380100
Added@​tanstack/​query-db-collection@​1.0.361001007397100
Added@​types/​mustache@​4.2.21001007481100
Added@​types/​chartjs-plugin-trendline@​1.0.1881007476100
Added@​tanstack/​eslint-plugin-query@​5.100.310010075100100
Addedballoon-css@​1.2.09710010075100
Added@​storybook/​addon-vitest@​10.2.169910076100100
Added@​types/​ioredis@​4.28.101001007680100
Added@​types/​nodemailer@​6.4.151001007692100
Added@​redocly/​cli@​2.24.177100100100100
Added@​tanstack/​solid-devtools@​0.8.2771008596100
Added@​tanstack/​solid-hotkeys@​0.9.17710010099100
Added@​storybook/​addon-a11y@​10.2.1610010078100100
Added@​oxlint/​plugins@​1.43.0781009986100
Added@​vitest/​browser@​4.0.18981007899100
See 28 more rows in the dashboard

View full report

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 13, 2026

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: Basic FTP has Path Traversal Vulnerability in its downloadToDir() method in npm basic-ftp

CVE: GHSA-5rq4-664w-9x2c Basic FTP has Path Traversal Vulnerability in its downloadToDir() method (CRITICAL)

Affected versions: < 5.2.0

Patched version: 5.2.0

From: pnpm-lock.yamlnpm/basic-ftp@5.0.5

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/basic-ftp@5.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 13, 2026

Continuous integration check(s) failed. Please review the failing check's logs and make the necessary changes.

@github-actions github-actions Bot added the waiting for update Pull requests or issues that require changes/comments before continuing label May 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file frontend User interface or web stuff javascript Pull requests that update Javascript code waiting for update Pull requests or issues that require changes/comments before continuing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@monkeytypegeorge