Skip to content

[Security] Bump postcss from 8.4.30 to 8.4.31

George Koltsov requested to merge dependabot-npm_and_yarn-postcss-8.4.31 into main

Bumps postcss from 8.4.30 to 8.4.31. This update includes a security fix.

Vulnerabilities fixed

PostCSS line return parsing error An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

Patched versions: 8.4.31 Affected versions: < 8.4.31

Release notes

Sourced from postcss's releases.

8.4.31

  • Fixed \r parsing to fix CVE-2023-44270.
Changelog

Sourced from postcss's changelog.

8.4.31

  • Fixed \r parsing to fix CVE-2023-44270.
Commits


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • @dependabot-bot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Loading