netlify[bot]
commented
3 months ago Deploy Preview for fastidious-arithmetic-0085b6 failed.
| Name | Link |
|---|---|
| Latest commit | d4ff163c156ea8fb5737f45254f8650cb32ab14f |
| Latest deploy log | https://app.netlify.com/sites/fastidious-arithmetic-0085b6/deploys/66b40986c0451f0008610aa9 |
This PR contains the following updates:
^8.4.23->^8.4.31GitHub Vulnerability Alerts
CVE-2023-44270
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be
\rdiscrepancies, as demonstrated by@font-face{ font:(\r/*);}in a rule.This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
PostCSS line return parsing error
CVE-2023-44270 / GHSA-7fh5-64p2-3v2j
More information
#### Details An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\r` discrepancies, as demonstrated by `@font-face{ font:(\r/*);}` in a rule. This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2023-44270](https://nvd.nist.gov/vuln/detail/CVE-2023-44270) - [https://github.com/github/advisory-database/issues/2820](https://redirect.github.com/github/advisory-database/issues/2820) - [https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5](https://redirect.github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5) - [https://github.com/postcss/postcss](https://redirect.github.com/postcss/postcss) - [https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25](https://redirect.github.com/postcss/postcss/blob/main/lib/tokenize.js#L25) - [https://github.com/postcss/postcss/releases/tag/8.4.31](https://redirect.github.com/postcss/postcss/releases/tag/8.4.31) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-7fh5-64p2-3v2j) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
postcss/postcss (postcss)
### [`v8.4.31`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8431) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.4.30...8.4.31) - Fixed `\r` parsing to fix CVE-2023-44270. ### [`v8.4.30`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8430) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.4.29...8.4.30) - Improved source map performance (by Romain Menke). ### [`v8.4.29`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8429) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.4.28...8.4.29) - Fixed `Node#source.offset` (by Ido Rosenthal). - Fixed docs (by Christian Oliff). ### [`v8.4.28`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8428) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.4.27...8.4.28) - Fixed `Root.source.end` for better source map (by Romain Menke). - Fixed `Result.root` types when `process()` has no parser. ### [`v8.4.27`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8427) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.4.26...8.4.27) - Fixed `Container` clone methods types. ### [`v8.4.26`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8426) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.4.25...8.4.26) - Fixed clone methods types. ### [`v8.4.25`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8425) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.4.24...8.4.25) - Improve stringify performance (by Romain Menke). - Fixed docs (by [@vikaskaliramna07](https://redirect.github.com/vikaskaliramna07)). ### [`v8.4.24`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8424) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.4.23...8.4.24) - Fixed `Plugin` types.Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.