Dependabot currently detects that v3.0.1 exists but says "No update possible for css-tree 2.3.1" in its logs. I don't understand why.
We're going to need to bump CSS Tree once a new version gets released (so that we may drop the patch on css-values-5). I'm creating this issue both to understand why dependabot refuses to create a PR by itself and to track switch to the new version.