chore(deps): update dependency postcss to v8.5.10 [security] by renovate[bot] · Pull Request #644 · Innei/Shiro

renovate · 2026-04-25T01:44:01Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
postcss (source)	`8.5.6` → `8.5.10`

PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

CVE-2026-41305 / GHSA-qx2v-qp2m-jg93

More information

Details

PostCSS: XSS via Unescaped `</style>` in CSS Stringify Output

Summary

PostCSS v8.5.5 (latest) does not escape </style> sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML <style> tags, </style> in CSS values breaks out of the style context, enabling XSS.

Proof of Concept

const postcss = require('postcss');

// Parse user CSS and re-stringify for page embedding
const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }';
const ast = postcss.parse(userCSS);
const output = ast.toResult().css;
const html = `<style>${output}</style>`;

console.log(html);
// <style>body { content: "</style><script>alert(1)</script><style>"; }</style>
//
// Browser: </style> closes the style tag, <script> executes

Tested output (Node.js v22, postcss v8.5.5):

Input: body { content: "</style><script>alert(1)</script><style>"; }
Output: body { content: "</style><script>alert(1)</script><style>"; }
Contains </style>: true

Impact

Impact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website.

Suggested Fix

Escape </style in all stringified output values:

output = output.replace(/<\/(style)/gi, '<\\/$1');

Credits

Discovered and reported by Sunil Kumar (@TharVid)

Severity

CVSS Score: 6.1 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

postcss/postcss (postcss)

`v8.5.10`

Compare Source

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

`v8.5.9`

Compare Source

Speed up source map encoding paring in case of the error.

`v8.5.8`

Compare Source

Fixed Processor#version.

`v8.5.7`

Compare Source

Improved source map annotation cleaning performance (by CodeAnt AI).

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

vercel · 2026-04-25T01:44:03Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
shiro	Error		May 28, 2026 6:15pm

safedep · 2026-04-25T01:44:05Z

SafeDep Report Summary

Package Details

Package	Malware	Vulnerability	Risky License	Report
`@emnapi/core @ 1.10.0` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@emnapi/runtime @ 1.10.0` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@emnapi/wasi-threads @ 1.2.1` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/cm-editor @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-editor @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-editor-ui @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-ext-code-snippet @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-ext-embed @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-ext-excalidraw @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-ext-gallery @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-ext-nested-doc @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-headless @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-kit-shiro @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-plugin-block-handle @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-plugin-floating-toolbar @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-plugin-link-edit @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-plugin-mention @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-plugin-slash-menu @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-plugin-table @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-plugin-toolbar @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-renderer-alert @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-renderer-banner @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-renderer-codeblock @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-renderer-image @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-renderer-katex @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-renderer-linkcard @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-renderer-mention @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-renderer-mermaid @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-renderer-ruby @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-renderer-video @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-renderers @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-renderers-edit @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-static-renderer @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@haklex/rich-style-token @ 0.0.105` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@lexical/clipboard @ 0.42.0` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@lexical/code-core @ 0.42.0` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@lexical/dragon @ 0.42.0` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@lexical/extension @ 0.42.0` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@lexical/headless @ 0.42.0` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@lexical/html @ 0.42.0` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@lexical/link @ 0.42.0` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@lexical/list @ 0.42.0` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@lexical/markdown @ 0.42.0` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@lexical/rich-text @ 0.42.0` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@lexical/selection @ 0.42.0` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@lexical/table @ 0.42.0` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@lexical/text @ 0.42.0` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@lexical/utils @ 0.42.0` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@napi-rs/wasm-runtime @ 1.1.4` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@oxc-project/types @ 0.133.0` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@rolldown/binding-android-arm64 @ 1.0.3` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@rolldown/binding-darwin-arm64 @ 1.0.3` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@rolldown/binding-darwin-x64 @ 1.0.3` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@rolldown/binding-freebsd-x64 @ 1.0.3` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@rolldown/binding-linux-arm-gnueabihf @ 1.0.3` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@rolldown/binding-linux-arm64-gnu @ 1.0.3` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@rolldown/binding-linux-arm64-musl @ 1.0.3` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@rolldown/binding-linux-ppc64-gnu @ 1.0.3` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@rolldown/binding-linux-s390x-gnu @ 1.0.3` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@rolldown/binding-linux-x64-gnu @ 1.0.3` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@rolldown/binding-linux-x64-musl @ 1.0.3` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@rolldown/binding-openharmony-arm64 @ 1.0.3` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@rolldown/binding-wasm32-wasi @ 1.0.3` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@rolldown/binding-win32-arm64-msvc @ 1.0.3` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@rolldown/binding-win32-x64-msvc @ 1.0.3` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`@rolldown/pluginutils @ 1.0.1` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`lexical @ 0.42.0` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`lucide-react @ 1.17.0` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`postcss @ 8.5.10` _npm _{apps/web/package.json} _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗
`rolldown @ 1.0.3` _npm _{pnpm-lock.yaml}	✔️	✔️	✔️	🔗

View complete scan results →

_{This report is generated by SafeDep Github App}

renovate Bot added the renovate label Apr 25, 2026

renovate Bot enabled auto-merge (squash) April 25, 2026 01:44

vercel Bot had a problem deploying to Preview April 25, 2026 01:44 Failure

renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch from 48e3476 to 27da56e Compare May 1, 2026 04:59

vercel Bot had a problem deploying to Preview May 1, 2026 04:59 Failure

renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch from 27da56e to 9a3b8ce Compare May 12, 2026 17:05

vercel Bot had a problem deploying to Preview May 12, 2026 17:05 Failure

renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch from 9a3b8ce to 93a01c9 Compare May 18, 2026 10:54

vercel Bot had a problem deploying to Preview May 18, 2026 10:54 Failure

chore(deps): update dependency postcss to v8.5.10 [security]

7f5acba

renovate Bot force-pushed the renovate/npm-postcss-vulnerability branch from 93a01c9 to 7f5acba Compare May 28, 2026 18:15

vercel Bot had a problem deploying to Preview May 28, 2026 18:15 Failure

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): update dependency postcss to v8.5.10 [security]#644

chore(deps): update dependency postcss to v8.5.10 [security]#644
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-postcss-vulnerability

renovate Bot commented Apr 25, 2026 •

edited

Loading

Uh oh!

vercel Bot commented Apr 25, 2026 •

edited

Loading

Uh oh!

safedep Bot commented Apr 25, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

renovate Bot commented Apr 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

Details

PostCSS: XSS via Unescaped </style> in CSS Stringify Output

Summary

Proof of Concept

Impact

Suggested Fix

Credits

Severity

References

Release Notes

v8.5.10

v8.5.9

v8.5.8

v8.5.7

Configuration

Uh oh!

vercel Bot commented Apr 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

safedep Bot commented Apr 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

SafeDep Report Summary

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Apr 25, 2026 •

edited

Loading

PostCSS: XSS via Unescaped `</style>` in CSS Stringify Output

`v8.5.10`

`v8.5.9`

`v8.5.8`

`v8.5.7`

vercel Bot commented Apr 25, 2026 •

edited

Loading

safedep Bot commented Apr 25, 2026 •

edited

Loading