Skip to content

fix: pin postcss to 8.5.10 via overrides to resolve GHSA-qx2v-qp2m-jg93#145

Merged
zaccesss merged 2 commits into
mainfrom
fix/frontend-postcss
Jun 15, 2026
Merged

fix: pin postcss to 8.5.10 via overrides to resolve GHSA-qx2v-qp2m-jg93#145
zaccesss merged 2 commits into
mainfrom
fix/frontend-postcss

Conversation

@zaccesss

Copy link
Copy Markdown
Owner

Summary

  • next bundles its own postcss < 8.5.10 internally, which triggered GHSA-qx2v-qp2m-jg93 (XSS via unescaped </style> in CSS stringify output)
  • Added "overrides": { "postcss": "8.5.10" } to frontend/package.json so npm deduplicates the bundled version without downgrading next
  • npm audit --omit=dev now reports 0 vulnerabilities
  • Documented the fix in CHANGELOG.md under [Unreleased] ### Security

npm audit fix --force was deliberately not used as it would downgrade next to 9.3.3 (a major breaking change).

Closes #141

Test plan

  • CI frontend lint and build passes (next build, tsc)
  • npm audit --omit=dev reports 0 in CI

@zaccesss
zaccesss enabled auto-merge June 15, 2026 12:43
@zaccesss zaccesss closed this Jun 15, 2026
auto-merge was automatically disabled June 15, 2026 12:49

Pull request was closed

@zaccesss zaccesss reopened this Jun 15, 2026
zaccesss added 2 commits June 15, 2026 13:55
next bundles its own postcss < 8.5.10 internally; npm overrides forces
deduplication to the patched version without downgrading next.
npm audit --omit=dev now reports 0 vulnerabilities.

Closes #141
@zaccesss
zaccesss force-pushed the fix/frontend-postcss branch from 502d179 to 4699e75 Compare June 15, 2026 12:55
@zaccesss
zaccesss enabled auto-merge June 15, 2026 12:56
@zaccesss
zaccesss merged commit 4f42068 into main Jun 15, 2026
8 checks passed
@zaccesss
zaccesss deleted the fix/frontend-postcss branch June 15, 2026 12:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

security: review frontend production vulnerabilities

1 participant