build(deps-dev): bump postcss from 8.4.31 to 8.5.10#218
build(deps-dev): bump postcss from 8.4.31 to 8.5.10#218dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [postcss](https://github.com/postcss/postcss) from 8.4.31 to 8.5.10. - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.4.31...8.5.10) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.5.10 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Size changesDetails📦 Next.js Bundle Analysis for react-devThis analysis was generated by the Next.js Bundle Analysis action. 🤖 This PR introduced no changes to the JavaScript bundle! 🙌 |
There was a problem hiding this comment.
Pull request overview
Updates the project’s PostCSS dev dependency to a newer 8.5.x release (includes an XSS fix per upstream notes) and refreshes the Yarn lockfile accordingly.
Changes:
- Bump
postcssinpackage.jsonfrom^8.4.5to^8.5.10. - Update
yarn.lockto resolvepostcss@^8.5.10and its updated transitive deps (nanoid,picocolors,source-map-js). - Keep an additional
postcss@8.4.31lock entry due to a transitive pin (e.g., Next.js), resulting in multiple PostCSS versions in the tree.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates root devDependency postcss version range to ^8.5.10. |
| yarn.lock | Adds lock entry for postcss@8.5.10 and updates related transitive packages; retains postcss@8.4.31 for pinned consumers. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "metro-cache": "0.72.2", | ||
| "npm-run-all": "^4.1.5", | ||
| "postcss": "^8.4.5", | ||
| "postcss": "^8.5.10", | ||
| "postcss-flexbugs-fixes": "4.2.1", | ||
| "postcss-preset-env": "^6.7.0", |
There was a problem hiding this comment.
Bumping the root postcss devDependency to ^8.5.10 won’t update transitive consumers that pin postcss exactly (the lockfile still pulls postcss@8.4.31). If you need the 8.5.10 security fix everywhere, consider upgrading the package that pins 8.4.31 or adding a Yarn resolutions entry (and running CI/build to confirm it’s safe).
Bumps postcss from 8.4.31 to 8.5.10.
Release notes
Sourced from postcss's releases.
... (truncated)
Changelog
Sourced from postcss's changelog.
... (truncated)
Commits
33b9790Release 8.5.10 version536c79eEscape </style> in CSS output (#2074)afa96b2Update dependencies (#2073)effe88bTypo (#2072)3ee79a2Thread model (#2071)2e0683dCreate incident response docs (#2070)fe88ac2Release 8.5.9 versionc551632Avoid RegExp when we can use simple JS89a6b74Move SECURITY.txt for docs folder to keep GitHub page cleaner6ceb8a4Create SECURITY.mdDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.