Update autoprefixer 10.4.27 → 10.5.0 (minor)

[depfu]

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ autoprefixer (10.4.27 → 10.5.0) · Repo · Changelog

Release Notes

10.5.0

• Added mask-position-x and mask-position-y support (by @toporek).

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 5 commits:

• Release 10.5 version
• Update dependencies
• Update email
• Replace ESLint and Prettier to oxlint and oxfmt
• Add prefixing support for mask-position-x and mask-position-y (#1548)

↗️ baseline-browser-mapping (indirect, 2.9.10 → 2.10.19) · Repo

Release Notes

2.10.0

What's Changed

• Introduces support for Node 6 by refactoring all Object.entries and Object.values instances and lowering ES target in Rollup to es2015.
• Adds specified Node version support in package.json for >=6.0.0.
• Refactors CLI code to avoid parseArgs which is not supported by versions of Node prior to 18, changes import to require and changes Rollup export to cjs to allow execution on older versions of Node.
• Adds a new legacy-test.js file that allows basic testing on older versions of Node where current versions of Jasmine and ESLint are not supported.
• Adds a test matrix to run tests on all even-numbered Node versions from 6 to 24.
• refactor publish workflows to support NPM's new OIDC integration

Full Changelog: v2.9.24...v2.10.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ browserslist (indirect, 4.28.1 → 4.28.2) · Repo · Changelog

Release Notes

4.28.2

• Fix prototype pollution (by @chluo1997).

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 14 commits:

• Release 4.28.2 version
• Re-use single constant
• Update email
• Process all files with oxfmt
• Add oxfmt support
• Update dependencies
• Merge pull request #926 from chluo1997/fix-pp
• fix: prevent prototype pollution
• Merge pull request #924 from SethFalco/custom-stats
• docs: add more details on custom stats
• Remove dead link
• Merge pull request #919 from Ethan-Arrowood/patch-1
• Use "the Node.js team" instead
• Update Node.js Foundation in README

↗️ caniuse-lite (indirect, 1.0.30001774 → 1.0.30001788) · Repo · Changelog

↗️ electron-to-chromium (indirect, 1.5.267 → 1.5.339) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ node-releases (indirect, 2.0.27 → 2.0.37) · Repo

Commits

See the full diff on Github. The new version differs by 19 commits:

• 2.0.37
• feat: Nightly Sync
• 2.0.36
• 2.0.35
• feat: Nightly Sync
• 2.0.34
• feat: Nightly Sync
• 2.0.33
• feat: Nightly Sync
• 2.0.32
• feat: Nightly Sync
• 2.0.31
• feat: Nightly Sync
• 2.0.30
• feat: Nightly Sync
• 2.0.29
• feat: Nightly Sync
• 2.0.28
• feat: Nightly Sync

🆕 @​esbuild/netbsd-arm64 (added, 0.28.0)

🆕 @​esbuild/openbsd-arm64 (added, 0.28.0)

🆕 @​esbuild/openharmony-arm64 (added, 0.28.0)

🆕 @​esbuild/aix-ppc64 (added, 0.28.0)

🆕 @​esbuild/android-arm (added, 0.28.0)

🆕 @​esbuild/android-arm64 (added, 0.28.0)

🆕 @​esbuild/android-x64 (added, 0.28.0)

🆕 @​esbuild/darwin-arm64 (added, 0.28.0)

🆕 @​esbuild/darwin-x64 (added, 0.28.0)

🆕 @​esbuild/freebsd-arm64 (added, 0.28.0)

🆕 @​esbuild/freebsd-x64 (added, 0.28.0)

🆕 @​esbuild/linux-arm (added, 0.28.0)

🆕 @​esbuild/linux-arm64 (added, 0.28.0)

🆕 @​esbuild/linux-ia32 (added, 0.28.0)

🆕 @​esbuild/linux-loong64 (added, 0.28.0)

🆕 @​esbuild/linux-mips64el (added, 0.28.0)

🆕 @​esbuild/linux-ppc64 (added, 0.28.0)

🆕 @​esbuild/linux-riscv64 (added, 0.28.0)

🆕 @​esbuild/linux-s390x (added, 0.28.0)

🆕 @​esbuild/linux-x64 (added, 0.28.0)

🆕 @​esbuild/netbsd-x64 (added, 0.28.0)

🆕 @​esbuild/openbsd-x64 (added, 0.28.0)

🆕 @​esbuild/sunos-x64 (added, 0.28.0)

🆕 @​esbuild/win32-arm64 (added, 0.28.0)

🆕 @​esbuild/win32-ia32 (added, 0.28.0)

🆕 @​esbuild/win32-x64 (added, 0.28.0)

🆕 esbuild (added, 0.28.0)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

Go to the Depfu Dashboard to see the state of your dependencies and to customize how Depfu works.

[sourcery-ai]

Hi @depfu[bot]! 👋

Your private repo does not have access to Sourcery.

Please upgrade to continue using Sourcery ✨

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Free

Run ID: b43baa78-e5ac-40da-af55-89aa023710b7

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	autoprefixer@​10.4.27 ⏵ 10.5.0	+1

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Embedded URLs or IPs: npm autoprefixer URLs: https://github.com/browserslist/browserslist#readme, https://twitter.com/browserslist, https://github.com/postcss/autoprefixer#readme, https://github.com/postcss/autoprefixer/issues/1148, DXImageTransform.Microsoft Location: Package overview From: package-lock.json → npm/autoprefixer@10.5.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/autoprefixer@10.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[guibranco]

Automatically approved by gstraccini[bot]

[guibranco]

@depfu merge

[deepsource-io]

DeepSource Code Review

We reviewed changes in de0ad26...22faf67 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
JavaScript		Apr 16, 2026 8:15p.m.	Review ↗
Secrets		Apr 16, 2026 8:15p.m.	Review ↗

---

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

[guibranco]

@gstraccini help

[gstraccini]

That's what I can do :

• @gstraccini add project <projectPath> - Adds a project to the solution file (only for .NET projects).
  • projectPath - [required] The project path to be added to the solution file.
• @gstraccini appveyor build <type> - Runs the AppVeyor build for the target commit and/or pull request.
  • type - [required] Specifies if it should trigger a build in a commit or pull request.
• @gstraccini appveyor bump version <component> - Bumps the CI version in AppVeyor.
  • component - [required] The semver component to bump (major, minor, or build).
• @gstraccini appveyor register - Registers the repository in AppVeyor.
• @gstraccini appveyor reset - Resets the AppVeyor build number for the target repository.
• @gstraccini bump version <version> <project> - Bumps the .NET version in .csproj files. ⚠️ (In development, it may not work as expected!)
  • version - [required] The .NET version.
  • project - [optional] The .csproj file to update. Suppressing this parameter will run the command in all .csproj in the repository/branch.
• @gstraccini cargo clippy - Formats the Rust code using Cargo Clippy (only for Rust projects).
• @gstraccini change runner <runner> <workflow> <jobs> - Changes the GitHub action runner in a workflow file (.yml). ⚠️ (In development, it may not work as expected!)
  • runner - [required] The runner's name.
  • workflow - [required] The workflow filename (with or without the .yml/.yaml extension).
  • jobs - [optional] The jobs to apply this command. Suppressing this parameter will run the command in all jobs within the workflow.
• @gstraccini codacy bypass - Bypasses the Codacy analysis for the target commit and/or pull request.
• @gstraccini codacy reanalyze commit - Reanalyzes the Codacy last commit in a pull request.
• @gstraccini codeclimate bypass - Bypasses the CodeClimate analysis for the target commit and/or pull request.
• @gstraccini composer update lock - Updates the composer.lock file by running composer update --no-interaction (only for PHP projects).
• @gstraccini copy issue <repository> - Copies an issue from one repository to another. ⚠️ (In development, it may not work as expected!)
  • repository - [required] The target repository where the issue will be copied/created.
• @gstraccini copy labels <repository> - Copies the labels from another repository.
  • repository - [required] The owner/repository to copy the labels from.
• @gstraccini create labels <style> <categories> - Creates the default labels in the repository.
  • style - [optional] The labels style (icons or text).
  • categories - [optional] The labels categories (comma-separated).
• @gstraccini csharpier - Formats the C# code using CSharpier (only for .NET projects).
• @gstraccini dotnet slnx - Migrates .sln files to .slnx files using dotnet sln migrate (only for .NET projects).
• @gstraccini fix csproj - Updates the .csproj file with the packages.config version of NuGet packages (only for .NET Framework projects). ⚠️ (In development, it may not work as expected!)
• @gstraccini help - Shows the help message with available commands.
• @gstraccini npm check updates <filter> - Updates dependencies in package.json and package-lock.json using npm-check-updates (only for NPM projects).
  • filter - [optional] The packages to filter.
• @gstraccini npm dist - Generates or regenerates the dist files by running npm run package (only for NPM projects).
• @gstraccini npm lint fix - Fixes linting issues by running npm run lint -- --fix (only for NPM projects).
• @gstraccini nuget check updates <filter> - Checks for NuGet package updates using dotnet-outdated (only for .NET projects).
  • filter - [optional] The packages to filter.
• @gstraccini prettier - Formats the code using Prettier.
• @gstraccini rerun checks <conclusion> - Reruns the checks in the target pull request with a matching conclusion.
  • conclusion - [optional] The conclusion of the checks to rerun (success, failure, neutral, cancelled, timed_out, or action_required).
• @gstraccini rerun workflows <conclusion> - Reruns the workflows (actions) in the target pull request. Only applicable for GitHub Actions.
  • conclusion - [optional] The conclusion of the checks to rerun (success, failure, neutral, cancelled, timed_out, or action_required).
• @gstraccini revert commit <sha1> - Reverts a commit using its SHA1 in the repository. The revert is committed directly into the PR branch.
  • sha1 - [required] The SHA1 of the commit to revert.
• @gstraccini review - Enables review for the target pull request. Useful when the PR submitter wasn't on the watch list or a webhook failed.
• @gstraccini update snapshot - Updates test snapshots by running npm test -- -u (only for Node.js projects).

Multiple commands can be issued simultaneously. Just respect each command pattern (with bot name prefix + command).

Note

If you aren't allowed to use this bot, a reaction with a thumbs down will be added to your comment.

Tip

You can tick (✅) one item from the above list, and it will be triggered! (In beta) (Only parameterless commands).

[guibranco]

@depfu recreate

[github-actions]

Infisical secrets check: 🚨 Secrets leaked!

Caution

The Infisical CLI tool found secrets leaked in your repository.
Please review the scan results and take the necessary actions.
Secrets found: 6

💻 Scan logs

2026-04-16T20:15:23Z INF scanning for exposed secrets...
8:15PM INF 71 commits scanned.
2026-04-16T20:15:23Z INF scan completed in 359ms
2026-04-16T20:15:23Z WRN leaks found: 6

---

🔎 Detected secrets in your GIT history

RuleID	Commit	File	SymlinkFile	Secret	Match	StartLine	EndLine	StartColumn	EndColumn	Author	Message	Date	Email	Fingerprint	Tags	Link
generic-api-key	2e15220	src/mockData.ts		REDACTED	"apiKey: ""REDACTED"""	505	505	6	41	deepsource-autofix[bot]	"style: format code with Prettier (#35)\n\nThis commit fixes the style issues introduced in f85b623 according to the output\nfrom Prettier.\n\nDetails: None\n\nCo-authored-by: deepsource-autofix[bot] <62050782+deepsource-autofix[bot]@users.noreply.github.com>\nCo-authored-by: gstraccini[bot] <150967461+gstraccini[bot]@users.noreply.github.com>\nCo-authored-by: Guilherme Branco Stracini guilherme@guilhermebranco.com.br"	2025-09-04T11:22:37Z	62050782+deepsource-autofix[bot]@users.noreply.github.com	2e15220:src/mockData.ts:generic-api-key:505		gstraccini-bot-portal/src/mockData.ts Line 505 in 2e15220 apiKey: "sonar_12345678901234567890",
generic-api-key	2e15220	src/pages/Integrations.tsx		REDACTED	"apiKey: ""REDACTED"""	12	12	8	43	deepsource-autofix[bot]	"style: format code with Prettier (#35)\n\nThis commit fixes the style issues introduced in f85b623 according to the output\nfrom Prettier.\n\nDetails: None\n\nCo-authored-by: deepsource-autofix[bot] <62050782+deepsource-autofix[bot]@users.noreply.github.com>\nCo-authored-by: gstraccini[bot] <150967461+gstraccini[bot]@users.noreply.github.com>\nCo-authored-by: Guilherme Branco Stracini guilherme@guilhermebranco.com.br"	2025-09-04T11:22:37Z	62050782+deepsource-autofix[bot]@users.noreply.github.com	2e15220:src/pages/Integrations.tsx:generic-api-key:12		gstraccini-bot-portal/src/pages/Integrations.tsx Line 12 in 2e15220 apiKey: "sonar_12345678901234567890",
generic-api-key	2e15220	src/pages/RepositoryDetail.tsx		REDACTED	"apiKey: ""REDACTED"""	124	124	8	43	deepsource-autofix[bot]	"style: format code with Prettier (#35)\n\nThis commit fixes the style issues introduced in f85b623 according to the output\nfrom Prettier.\n\nDetails: None\n\nCo-authored-by: deepsource-autofix[bot] <62050782+deepsource-autofix[bot]@users.noreply.github.com>\nCo-authored-by: gstraccini[bot] <150967461+gstraccini[bot]@users.noreply.github.com>\nCo-authored-by: Guilherme Branco Stracini guilherme@guilhermebranco.com.br"	2025-09-04T11:22:37Z	62050782+deepsource-autofix[bot]@users.noreply.github.com	2e15220:src/pages/RepositoryDetail.tsx:generic-api-key:124		gstraccini-bot-portal/src/pages/RepositoryDetail.tsx Line 124 in 2e15220 apiKey: "sonar_12345678901234567890",
generic-api-key	2e15220	src/pages/RepositoryDetail.tsx		REDACTED	"apiKey: ""REDACTED"""	160	160	8	44	deepsource-autofix[bot]	"style: format code with Prettier (#35)\n\nThis commit fixes the style issues introduced in f85b623 according to the output\nfrom Prettier.\n\nDetails: None\n\nCo-authored-by: deepsource-autofix[bot] <62050782+deepsource-autofix[bot]@users.noreply.github.com>\nCo-authored-by: gstraccini[bot] <150967461+gstraccini[bot]@users.noreply.github.com>\nCo-authored-by: Guilherme Branco Stracini guilherme@guilhermebranco.com.br"	2025-09-04T11:22:37Z	62050782+deepsource-autofix[bot]@users.noreply.github.com	2e15220:src/pages/RepositoryDetail.tsx:generic-api-key:160		gstraccini-bot-portal/src/pages/RepositoryDetail.tsx Line 160 in 2e15220 apiKey: "codacy_12345678901234567890",
generic-api-key	2e15220	src/pages/RepositoryDetail.tsx		REDACTED	"apiKey: ""REDACTED"""	178	178	8	42	deepsource-autofix[bot]	"style: format code with Prettier (#35)\n\nThis commit fixes the style issues introduced in f85b623 according to the output\nfrom Prettier.\n\nDetails: None\n\nCo-authored-by: deepsource-autofix[bot] <62050782+deepsource-autofix[bot]@users.noreply.github.com>\nCo-authored-by: gstraccini[bot] <150967461+gstraccini[bot]@users.noreply.github.com>\nCo-authored-by: Guilherme Branco Stracini guilherme@guilhermebranco.com.br"	2025-09-04T11:22:37Z	62050782+deepsource-autofix[bot]@users.noreply.github.com	2e15220:src/pages/RepositoryDetail.tsx:generic-api-key:178		gstraccini-bot-portal/src/pages/RepositoryDetail.tsx Line 178 in 2e15220 apiKey: "snyk_12345678901234567890",
generic-api-key	2e15220	src/pages/Settings.tsx		REDACTED	"apiKey: ""REDACTED"""	127	127	8	43	deepsource-autofix[bot]	"style: format code with Prettier (#35)\n\nThis commit fixes the style issues introduced in f85b623 according to the output\nfrom Prettier.\n\nDetails: None\n\nCo-authored-by: deepsource-autofix[bot] <62050782+deepsource-autofix[bot]@users.noreply.github.com>\nCo-authored-by: gstraccini[bot] <150967461+gstraccini[bot]@users.noreply.github.com>\nCo-authored-by: Guilherme Branco Stracini guilherme@guilhermebranco.com.br"	2025-09-04T11:22:37Z	62050782+deepsource-autofix[bot]@users.noreply.github.com	2e15220:src/pages/Settings.tsx:generic-api-key:127		gstraccini-bot-portal/src/pages/Settings.tsx Line 127 in 2e15220 apiKey: "sonar_12345678901234567890",

Warning

The above table only displays the first 10 leaked secrets.
You can find the full report here: secrets.csv

---

🐾 Secrets fingerprint

2e1522054d3009edd4cc682e479341776b266eb0:src/mockData.ts:generic-api-key:505
2e1522054d3009edd4cc682e479341776b266eb0:src/pages/Integrations.tsx:generic-api-key:12
2e1522054d3009edd4cc682e479341776b266eb0:src/pages/RepositoryDetail.tsx:generic-api-key:124
2e1522054d3009edd4cc682e479341776b266eb0:src/pages/RepositoryDetail.tsx:generic-api-key:160
2e1522054d3009edd4cc682e479341776b266eb0:src/pages/RepositoryDetail.tsx:generic-api-key:178
2e1522054d3009edd4cc682e479341776b266eb0:src/pages/Settings.tsx:generic-api-key:127

Tip

If you want to ignore these leaked secrets, add the above fingerprint content to a file named .infisicalignore at the repository root level.