chore(deps): update dependency postcss to v8.5.10 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
postcss (source)	8.4.31 → 8.5.10

---

PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

CVE-2026-41305 / GHSA-qx2v-qp2m-jg93

More information

Details

PostCSS: XSS via Unescaped </style> in CSS Stringify Output

Summary

PostCSS v8.5.5 (latest) does not escape </style> sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML <style> tags, </style> in CSS values breaks out of the style context, enabling XSS.

Proof of Concept

const postcss = require('postcss');

// Parse user CSS and re-stringify for page embedding
const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }';
const ast = postcss.parse(userCSS);
const output = ast.toResult().css;
const html = `<style>${output}</style>`;

console.log(html);
// <style>body { content: "</style><script>alert(1)</script><style>"; }</style>
//
// Browser: </style> closes the style tag, <script> executes

Tested output (Node.js v22, postcss v8.5.5):

Input: body { content: "</style><script>alert(1)</script><style>"; }
Output: body { content: "</style><script>alert(1)</script><style>"; }
Contains </style>: true

Impact

Impact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website.

Suggested Fix

Escape </style in all stringified output values:

output = output.replace(/<\/(style)/gi, '<\\/$1');

Credits

Discovered and reported by Sunil Kumar (@​TharVid)

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

• https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93
• https://nvd.nist.gov/vuln/detail/CVE-2026-41305
• https://github.com/postcss/postcss/releases/tag/8.5.10
• https://github.com/advisories/GHSA-qx2v-qp2m-jg93

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

postcss/postcss (postcss)

v8.5.10

Compare Source

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

v8.5.9

Compare Source

• Speed up source map encoding paring in case of the error.

v8.5.8

Compare Source

• Fixed Processor#version.

v8.5.7

Compare Source

• Improved source map annotation cleaning performance (by CodeAnt AI).

v8.5.6

Compare Source

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

v8.5.5

Compare Source

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

v8.5.4

Compare Source

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

v8.5.3

Compare Source

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

v8.5.2

Compare Source

• Fixed end position of rules with semicolon (by @​romainmenke).

v8.5.1

Compare Source

• Fixed backwards compatibility for complex cases (by @​romainmenke).

v8.5.0: 8.5 “Duke Alloces”

Compare Source

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@​romainmenke during his work on Stylelint added Input#document in additional to Input#css.

root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"

Thanks to Sponsors

This release was possible thanks to our community.

If your company wants to support the sustainability of front-end infrastructure or wants to give some love to PostCSS, you can join our supporters by:

• Tidelift with a Spotify-like subscription model supporting all projects from your lock file.
• Direct donations at GitHub Sponsors or Open Collective.

v8.4.49

Compare Source

• Fixed custom syntax without source.offset (by @​romainmenke).

v8.4.48

Compare Source

• Fixed position calculation in error/warnings methods (by @​romainmenke).

v8.4.47

Compare Source

• Removed debug code.

v8.4.46

Compare Source

• Fixed Cannot read properties of undefined (reading 'before').

v8.4.45

Compare Source

• Removed unnecessary fix which could lead to infinite loop.

v8.4.44

Compare Source

• Another way to fix markClean is not a function error.

v8.4.43

Compare Source

• Fixed markClean is not a function error.

v8.4.42

Compare Source

• Fixed CSS syntax error on long minified files (by @​varpstar).

v8.4.41

Compare Source

• Fixed types (by @​nex3 and @​querkmachine).
• Cleaned up RegExps (by @​bluwy).

v8.4.40

Compare Source

• Moved to getter/setter in nodes types to help Sass team (by @​nex3).

v8.4.39

Compare Source

• Fixed CssSyntaxError types (by @​romainmenke).

v8.4.38

Compare Source

• Fixed endIndex: 0 in errors and warnings (by @​romainmenke).

v8.4.37

Compare Source

• Fixed original.column are not numbers error in another case.

v8.4.36

Compare Source

• Fixed original.column are not numbers error on broken previous source map.

v8.4.35

Compare Source

• Avoid ! in node.parent.nodes type.
• Allow to pass undefined to node adding method to simplify types.

v8.4.34

Compare Source

• Fixed AtRule#nodes type (by Tim Weißenfels).
• Cleaned up code (by Dmitry Kirillov).

v8.4.33

Compare Source

• Fixed NoWorkResult behavior difference with normal mode (by Romain Menke).
• Fixed NoWorkResult usage conditions (by @​ahmdammarr).

v8.4.32

Compare Source

• Fixed postcss().process() types (by Andrew Ferreira).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: demo/yarn.lock

warning package.json: No license field
warning No license field
error Package "" refers to a non-existing file '"/tmp/renovate/repos/github/vnodesign/feedback/dist"'.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	postcss@​8.5.10
	postcss@​8.5.12

View full report