chore(deps): update dependency postcss-selector-parser to v7.1.1 - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
postcss-selector-parser	7.1.0 -> 7.1.1

---

Release Notes

postcss/postcss-selector-parser (postcss-selector-parser)

v7.1.1

Compare Source

• perf: replace startsWith with strict equality (#​308)
• fix(types): add walkUniversal declaration (#​311)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Output of pnpm why postcss-selector-parser:

Legend: production dependency, optional only, dev only

@cyclonedx/[email protected] /home/runner/work/cdxgen/cdxgen

dependencies:
@npmcli/query 5.0.0
└── postcss-selector-parser 7.1.1

Output of jq on components:

{
  "group": "",
  "name": "postcss-selector-parser",
  "version": "7.1.1",
  "description": "> Selector parser with built in methods for working with selector strings.",
  "scope": "optional",
  "hashes": [
    {
      "alg": "SHA-512",
      "content": "a2b46cb98a49570f0b740c2aa8bca4063f5e712e7f7111e5239fa7bd3a3c2dc08a9b30e6a953915ed388604110b8bf43e01c6d035966e62b00ab34190a843a12"
    }
  ],
  "licenses": [
    {
      "license": {
        "id": "MIT",
        "url": "https://opensource.org/licenses/MIT"
      }
    }
  ],
  "purl": "pkg:npm/[email protected]",
  "externalReferences": [
    {
      "type": "vcs",
      "url": "https://github.com/postcss/postcss-selector-parser"
    },
    {
      "type": "vcs",
      "url": "git+https://github.com/postcss/postcss-selector-parser.git"
    }
  ],
  "type": "library",
  "bom-ref": "pkg:npm/[email protected]",
  "properties": [
    {
      "name": "SrcFile",
      "value": "pnpm-lock.yaml"
    }
  ],
  "evidence": {
    "identity": [
      {
        "field": "purl",
        "confidence": 1,
        "methods": [
          {
            "technique": "manifest-analysis",
            "confidence": 1,
            "value": "pnpm-lock.yaml"
          }
        ],
        "concludedValue": "pnpm-lock.yaml"
      }
    ]
  },
  "tags": [
    "parse"
  ]
}

Output of jq on dependencies:

{
  "ref": "pkg:npm/[email protected]",
  "dependsOn": [
    "pkg:npm/[email protected]",
    "pkg:npm/[email protected]"
  ]
}
{
  "ref": "pkg:npm/@npmcli/[email protected]",
  "dependsOn": [
    "pkg:npm/[email protected]"
  ]
}

[prabhu]

arborist is such a bloated dependency. It makes zero sense to use a postcss-selector dependency for something as simple as parsing package-lock.json. The below function that imports the package actually has no usage, so there must be a way to trim and remove all these wishful dependencies that npm team adds.

cdxgen/lib/third-party/arborist/lib/node.js

Line 1568 in 14c2599

querySelectorAll(query, opts) {