[Security] Bump postcss from 8.4.29 to 8.4.31
Bumps postcss from 8.4.29 to 8.4.31. This update includes a security fix.
Vulnerabilities fixed
PostCSS line return parsing error An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be
\rdiscrepancies, as demonstrated by@font-face{ font:(\r/*);}in a rule.This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
Patched versions: 8.4.31 Affected versions: < 8.4.31
Release notes
Sourced from postcss's releases.
8.4.31
- Fixed
\rparsing to fix CVE-2023-44270.8.4.30
- Improved source map performance (by
@romainmenke).
Changelog
Sourced from postcss's changelog.
8.4.31
- Fixed
\rparsing to fix CVE-2023-44270.8.4.30
- Improved source map performance (by Romain Menke).
Commits
-
90208deRelease 8.4.31 version -
58cc860Fix carrier return parsing -
4fff8e4Improve pnpm test output -
cd43ed1Update dependencies -
caa916bUpdate dependencies -
8972f76Typo -
11a5286Typo -
45c5501Release 8.4.30 version -
bc3c341Update linter -
b2be58aMerge pull request #1881 from romainmenke/improve-sourcemap-performance--phil... - Additional commits viewable in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot recreatewill recreate this MR rewriting all the manual changes and resolving conflicts