Skip to content

chore: bump postcss to 8.5.10#93288

Merged
eps1lon merged 3 commits intovercel:canaryfrom
maximecolin:bump-postcss-8.5.10
Apr 29, 2026
Merged

chore: bump postcss to 8.5.10#93288
eps1lon merged 3 commits intovercel:canaryfrom
maximecolin:bump-postcss-8.5.10

Conversation

@maximecolin
Copy link
Copy Markdown
Contributor

@maximecolin maximecolin commented Apr 27, 2026
edited by eps1lon
Loading

Fixes the moderate-severity advisory GHSA-qx2v-qp2m-jg93 by upgrading postcss from 8.4.31 to 8.5.10 in both the Next.js package and the workspace devDependencies. pnpm-lock.yaml regenerated accordingly.

Note that this vulnerability does not affect Next.js users unless they build from untrusted source code (which would have more severe security implications). We're merging this to reduce noise from security scanners.

Fixes #93234

@maximecolin maximecolin marked this pull request as ready for review April 27, 2026 15:46
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 27, 2026
edited
Loading

Tests Passed

Commit: b394dd2

eps1lon
eps1lon approved these changes Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@eps1lon eps1lon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@github-actions github-actions Bot added the tests label Apr 28, 2026
@eps1lon
Copy link
Copy Markdown
Member

eps1lon commented Apr 28, 2026

In case people find the PR but not the issue:

We'll bump the vendored postcss version to silence the warning. This vulnerability does not affect Next.js users since postcss only runs at build time. You would only be affected if you build with untrusted code in which case there are bigger concerns than malicious CSS causing XSS.

-- #93234 (comment)

maximecolin and others added 3 commits April 29, 2026 11:35
@maximecolin @eps1lon
chore: bump postcss to 8.5.10 (GHSA-qx2v-qp2m-jg93)
4cfe638 
Fixes the moderate-severity advisory GHSA-qx2v-qp2m-jg93 by upgrading
postcss from 8.4.31 to 8.5.10 in both the Next.js package and the
workspace devDependencies. pnpm-lock.yaml regenerated accordingly.
@eps1lon
Update vendored packages
f9f6f49
@maximecolin @eps1lon
test: update css syntax error snapshots for postcss 8.5.10
b394dd2 
postcss 8.5 enriched the "Unknown word" error message with the
offending token, breaking the inline snapshots in ReactRefreshLogBox
tests on the webpack flavor.
@eps1lon eps1lon force-pushed the bump-postcss-8.5.10 branch from 4f2b7ef to b394dd2 Compare April 29, 2026 09:37
@eps1lon eps1lon changed the title chore: bump postcss to 8.5.10 (GHSA-qx2v-qp2m-jg93) chore: bump postcss to 8.5.10 Apr 29, 2026
@eps1lon eps1lon merged commit 4945b6e into vercel:canary Apr 29, 2026
178 of 180 checks passed
@github-actions github-actions Bot mentioned this pull request Apr 29, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eps1lon eps1lon eps1lon approved these changes

Assignees

No one assigned

Labels

tests type: next

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

postcss bundled by next is vulnerable to XSS (GHSA-qx2v-qp2m-jg93) — please update to >=8.5.10

2 participants

@maximecolin @eps1lon