From 0a8b5c780507f1c11a584a29b3a6aa109a489883 Mon Sep 17 00:00:00 2001 From: le king fu Date: Sun, 3 May 2026 15:21:18 -0400 Subject: [PATCH] fix(deps): bump postcss to 8.5.13 to address GHSA-qx2v-qp2m-jg93 (#180) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Transitive dependency via vite (range ^8.5.3 already accepts the fix). Lockfile-only change; no package.json modification needed. Advisory GHSA-qx2v-qp2m-jg93 is a moderate severity XSS via unescaped in the CSS stringifier output. postcss runs at build time only and never ships in the Tauri binary, so practical exposure is nil — but this clears the npm audit warning and the defenseur finding. Co-Authored-By: Claude Opus 4.7 (1M context) --- CHANGELOG.fr.md | 1 + CHANGELOG.md | 1 + package-lock.json | 7 ++++--- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.fr.md b/CHANGELOG.fr.md index 921c101..f27b231 100644 --- a/CHANGELOG.fr.md +++ b/CHANGELOG.fr.md @@ -17,6 +17,7 @@ - Bilan : correction de l'erreur SQLite « misuse of aggregate function MIN() » au chargement de /balance avec des snapshots existants ; remplacement du pattern aggregate-in-WHERE par une window function ROW_NUMBER() dans getAccountsPeriodAnchor (#175). - Bilan : la sauvegarde d'un snapshot utilise désormais une transaction atomique BEGIN/COMMIT et valide toutes les lignes avant toute écriture en BDD, empêchant les snapshots orphelins lorsque la validation échoue. La migration v11 nettoie les orphelins existants (#176). - Bilan : le sélecteur de date sur `/balance/snapshot` se ferme maintenant après la sélection sur Linux (WebKitGTK) au lieu de rester ouvert jusqu'à ce que l'utilisateur appuie sur Échap. Le contournement appelle `blur()` sur le champ après chaque changement — sans effet sur Windows WebView2 / macOS WKWebView, où le sélecteur se ferme déjà automatiquement (#177). +- Mise à jour de la dépendance `postcss` (8.5.6 → 8.5.13) pour corriger l'avis de sécurité de sévérité modérée GHSA-qx2v-qp2m-jg93 (XSS via `` non échappé dans le stringifier CSS). Transitive via vite, build-time uniquement — aucun impact runtime sur le binaire Tauri livré (#180). ## [0.9.0] - 2026-04-29 diff --git a/CHANGELOG.md b/CHANGELOG.md index 14652bd..3ecf293 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ - Bilan: fix SQLite "misuse of aggregate function MIN()" error when loading /balance with existing snapshots; replaced aggregate-in-WHERE pattern with ROW_NUMBER() window function in getAccountsPeriodAnchor (#175). - Bilan: snapshot save now uses atomic BEGIN/COMMIT and validates all lines before any DB write, preventing orphan snapshot rows when validation fails. Migration v11 cleans existing orphans (#176). - Bilan: snapshot date picker on `/balance/snapshot` now closes after a date is selected on Linux (WebKitGTK), instead of staying open until the user pressed Esc. Workaround calls `blur()` on the input after each change — no-op on Windows WebView2 / macOS WKWebView, where the picker already auto-closes (#177). +- Updated `postcss` dependency (8.5.6 → 8.5.13) to address moderate severity advisory GHSA-qx2v-qp2m-jg93 (XSS via unescaped `` in CSS stringifier). Transitive via vite, build-time only — no runtime impact on the shipped Tauri binary (#180). ## [0.9.0] - 2026-04-29 diff --git a/package-lock.json b/package-lock.json index 9be3aa6..ac379a8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2923,9 +2923,9 @@ } }, "node_modules/postcss": { - "version": "8.5.6", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz", - "integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==", + "version": "8.5.13", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.13.tgz", + "integrity": "sha512-qif0+jGGZoLWdHey3UFHHWP0H7Gbmsk8T5VEqyYFbWqPr1XqvLGBbk/sl8V5exGmcYJklJOhOQq1pV9IcsiFag==", "dev": true, "funding": [ { @@ -2941,6 +2941,7 @@ "url": "https://github.com/sponsors/ai" } ], + "license": "MIT", "dependencies": { "nanoid": "^3.3.11", "picocolors": "^1.1.1",