[Security] Bump postcss from 8.4.30 to 8.4.31 (!2435) · Merge requests · multiple-projects / imported-project-ed0b947507b98663

George Koltsov requested to merge dependabot-npm_and_yarn-postcss-8.4.31 into main Oct 09, 2023

Bumps postcss from 8.4.30 to 8.4.31. This update includes a security fix.

Vulnerabilities fixed

PostCSS line return parsing error An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

Patched versions: 8.4.31 Affected versions: < 8.4.31

Release notes

Sourced from postcss's releases.

8.4.31

Fixed \r parsing to fix CVE-2023-44270.

Changelog

Sourced from postcss's changelog.

8.4.31

Fixed \r parsing to fix CVE-2023-44270.

Commits

90208de Release 8.4.31 version
58cc860 Fix carrier return parsing
4fff8e4 Improve pnpm test output
cd43ed1 Update dependencies
caa916b Update dependencies
8972f76 Typo
11a5286 Typo
See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

@dependabot-bot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Admin message

Admin message

[Security] Bump postcss from 8.4.30 to 8.4.31

8.4.31

8.4.31

Merge request reports