Skip to content

chore(deps): bump postcss from 8.5.6 to 8.5.10 in /docs#5736

Merged
thomhurst merged 1 commit intomainfrom
dependabot/npm_and_yarn/docs/postcss-8.5.10
Apr 26, 2026
Merged

chore(deps): bump postcss from 8.5.6 to 8.5.10 in /docs#5736
thomhurst merged 1 commit intomainfrom
dependabot/npm_and_yarn/docs/postcss-8.5.10

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 25, 2026

Bumps postcss from 8.5.6 to 8.5.10.

Release notes

Sourced from postcss's releases.

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).
Changelog

Sourced from postcss's changelog.

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code PATCH labels Apr 25, 2026
@dependabot dependabot Bot temporarily deployed to Pull Requests April 25, 2026 00:26 Inactive
@dependabot dependabot Bot temporarily deployed to Pull Requests April 25, 2026 00:26 Inactive
@dependabot dependabot Bot temporarily deployed to Pull Requests April 25, 2026 00:26 Inactive
@codacy-production
Copy link
Copy Markdown

codacy-production Bot commented Apr 25, 2026
edited
Loading

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@dependabot @thomhurst
chore(deps): bump postcss from 8.5.6 to 8.5.10 in /docs
9f119fa 
Bumps [postcss](https://github.com/postcss/postcss) from 8.5.6 to 8.5.10.
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.6...8.5.10)

---
updated-dependencies:
- dependency-name: postcss
  dependency-version: 8.5.10
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@thomhurst thomhurst force-pushed the dependabot/npm_and_yarn/docs/postcss-8.5.10 branch from 149fa00 to 9f119fa Compare April 26, 2026 11:36
claude[bot]
claude Bot reviewed Apr 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@claude claude Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Dependency Update Review

This is a Dependabot-automated PR bumping postcss from 8.5.6 to 8.5.10 in the /docs directory (an indirect dependency via the documentation site's yarn lockfile).

Change Summary

The diff is a single lockfile update (docs/yarn.lock) with no logic changes:

  • postcss version: 8.5.68.5.10
  • The resolved URL shifts from registry.npmjs.org to registry.yarnpkg.com (both are valid Yarn/npm registries — no concern here)

Notable Fix in This Update

8.5.10 patches a security vulnerability: XSS via unescaped </style> in non-bundler cases. While this affects the /docs toolchain (not TUnit's runtime library), it's still worth applying to keep the development/documentation environment clean.

Assessment

This PR is safe to merge. The change is:

  1. Scoped entirely to docs/yarn.lock — no production .NET code is touched
  2. Addresses a known XSS fix in postcss 8.5.10
  3. The intermediate versions (8.5.7–8.5.9) bring only performance improvements and minor bug fixes with no breaking changes

No concerns with this update. Recommend merging.

@thomhurst thomhurst merged commit 1ec62d2 into main Apr 26, 2026
14 of 15 checks passed
@thomhurst thomhurst deleted the dependabot/npm_and_yarn/docs/postcss-8.5.10 branch April 26, 2026 11:40
@dependabot dependabot Bot mentioned this pull request Apr 26, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code PATCH

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thomhurst