chore(deps): update dependency postcss to v8.5.10 [security]#33408

Merged

renovate[bot] merged 1 commit into26_1from

renovate/npm-postcss-vulnerability

Apr 24, 2026

Contributor

renovate Bot commented Apr 24, 2026

This PR contains the following updates:

Package	Change	Age	Confidence
postcss (source)	`8.4.38` → `8.5.10`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

CVE-2026-41305 / GHSA-qx2v-qp2m-jg93

More information

Details

PostCSS: XSS via Unescaped `</style>` in CSS Stringify Output

Summary

PostCSS v8.5.5 (latest) does not escape </style> sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML <style> tags, </style> in CSS values breaks out of the style context, enabling XSS.

Proof of Concept

const postcss = require('postcss');

// Parse user CSS and re-stringify for page embedding
const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }';
const ast = postcss.parse(userCSS);
const output = ast.toResult().css;
const html = `<style>${output}</style>`;

console.log(html);
// <style>body { content: "</style><script>alert(1)</script><style>"; }</style>
//
// Browser: </style> closes the style tag, <script> executes

Tested output (Node.js v22, postcss v8.5.5):

Input: body { content: "</style><script>alert(1)</script><style>"; }
Output: body { content: "</style><script>alert(1)</script><style>"; }
Contains </style>: true

Impact

Impact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website.

Suggested Fix

Escape </style in all stringified output values:

output = output.replace(/<\/(style)/gi, '<\\/$1');

Credits

Discovered and reported by Sunil Kumar (@TharVid)

Severity

CVSS Score: 6.1 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

postcss/postcss (postcss)

`v8.5.10`

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

`v8.5.9`

Speed up source map encoding paring in case of the error.

`v8.5.8`

Fixed Processor#version.

`v8.5.7`

Improved source map annotation cleaning performance (by CodeAnt AI).

`v8.5.6`

Fixed ContainerWithChildren type discriminating (by @Goodwine).

`v8.5.5`

Fixed package.json→exports compatibility with some tools (by @JounQin).

`v8.5.4`

Fixed Parcel compatibility issue (by @git-sumitchaudhary).

`v8.5.3`

Added more details to Unknown word error (by @hiepxanh).
Fixed types (by @romainmenke).
Fixed docs (by @catnipan).

`v8.5.2`

Fixed end position of rules with semicolon (by @romainmenke).

`v8.5.1`

Fixed backwards compatibility for complex cases (by @romainmenke).

`v8.5.0`: 8.5 “Duke Alloces”

President Alloces seal

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@romainmenke during his work on Stylelint added Input#document in additional to Input#css.

root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"

Thanks to Sponsors

This release was possible thanks to our community.

If your company wants to support the sustainability of front-end infrastructure or wants to give some love to PostCSS, you can join our supporters by:

Tidelift with a Spotify-like subscription model supporting all projects from your lock file.
Direct donations at GitHub Sponsors or Open Collective.

`v8.4.49`

Fixed custom syntax without source.offset (by @romainmenke).

`v8.4.48`

Fixed position calculation in error/warnings methods (by @romainmenke).

`v8.4.47`

Removed debug code.

`v8.4.46`

Fixed Cannot read properties of undefined (reading 'before').

`v8.4.45`

Removed unnecessary fix which could lead to infinite loop.

`v8.4.44`

Another way to fix markClean is not a function error.

`v8.4.43`

Fixed markClean is not a function error.

`v8.4.42`

Fixed CSS syntax error on long minified files (by @varpstar).

`v8.4.41`

Fixed types (by @nex3 and @querkmachine).
Cleaned up RegExps (by @bluwy).

`v8.4.40`

Moved to getter/setter in nodes types to help Sass team (by @nex3).

`v8.4.39`

Fixed CssSyntaxError types (by @romainmenke).

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          chore(deps): update dependency postcss to v8.5.10 [security]

14873bc

renovate Bot added the dependencies label

github-actions Bot approved these changes

View reviewed changes

renovate Bot merged commit 78a69e1 into 26_1

103 checks passed

renovate Bot deleted the renovate/npm-postcss-vulnerability branch

April 24, 2026 17:33

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels