fix(deps): bump postcss to 8.5.13 to address GHSA-qx2v-qp2m-jg93 (#180) #193

Merged

maximus merged 1 commit from issue-180-postcss-audit-fix into main

2026-05-03 19:32:51 +00:00

maximus commented

2026-05-03 19:21:37 +00:00

Owner

Fixes #180

Summary

npm audit fix bumps the transitive postcss dependency from 8.5.6 to 8.5.13, addressing advisory GHSA-qx2v-qp2m-jg93 (moderate severity XSS via unescaped </style> in Stringifier). Lockfile-only — no package.json change.

Why this is low-impact

postcss is purely transitive (vite@6.4.2 → postcss). Vite's range ^8.5.3 already accepts 8.5.13.
No direct usage in code: no postcss.config.*, no reference in src/ or vite.config.ts. Tailwind v4 uses @tailwindcss/vite (lightningcss) — not postcss.
postcss runs at build time only; it never ships in the Tauri binary. The vulnerable code path (Stringifier.raw() re-emitting CSS containing </style>) is not reachable from our sources.
Precedent: PR #43 (picomatch 4.0.3 → 4.0.4).

Verification

npm audit — 0 vulnerabilities
npm run build (tsc + vite) — built in 6.58s
npm test (vitest) — 227 test files, 3720 tests passed

Files changed

package-lock.json — postcss 8.5.6 → 8.5.13 (4 insertions / 3 deletions)
CHANGELOG.md — entry under ### Fixed
CHANGELOG.fr.md — entry under ### Corrigé

Acceptance criteria

npm audit ne signale plus la vulnerabilite postcss
Build Tauri passe (npm run build — equivalent CI)
Tests passent
Le prochain run defenseur-simpl-resultat ne contient plus le finding (verification post-merge)

Fixes #180 ## Summary `npm audit fix` bumps the transitive `postcss` dependency from `8.5.6` to `8.5.13`, addressing advisory **GHSA-qx2v-qp2m-jg93** (moderate severity XSS via unescaped `</style>` in `Stringifier`). Lockfile-only — no `package.json` change. ## Why this is low-impact - `postcss` is purely transitive (`vite@6.4.2` → `postcss`). Vite's range `^8.5.3` already accepts `8.5.13`. - No direct usage in code: no `postcss.config.*`, no reference in `src/` or `vite.config.ts`. Tailwind v4 uses `@tailwindcss/vite` (lightningcss) — not postcss. - postcss runs at build time only; it never ships in the Tauri binary. The vulnerable code path (`Stringifier.raw()` re-emitting CSS containing `</style>`) is not reachable from our sources. - Precedent: PR #43 (picomatch 4.0.3 → 4.0.4). ## Verification - `npm audit` — 0 vulnerabilities - `npm run build` (tsc + vite) — `built in 6.58s` - `npm test` (vitest) — 227 test files, 3720 tests passed ## Files changed - `package-lock.json` — postcss `8.5.6` → `8.5.13` (4 insertions / 3 deletions) - `CHANGELOG.md` — entry under `### Fixed` - `CHANGELOG.fr.md` — entry under `### Corrigé` ## Acceptance criteria - [x] `npm audit` ne signale plus la vulnerabilite postcss - [x] Build Tauri passe (`npm run build` — equivalent CI) - [x] Tests passent - [ ] Le prochain run `defenseur-simpl-resultat` ne contient plus le finding (verification post-merge)

maximus added 1 commit 2026-05-03 19:21:38 +00:00

fix(deps): bump postcss to 8.5.13 to address GHSA-qx2v-qp2m-jg93 (#180 )

PR Check / rust (pull_request) Successful in 23m30s

Details

PR Check / frontend (pull_request) Successful in 2m26s

Details

0a8b5c7805

Transitive dependency via vite (range ^8.5.3 already accepts the fix).
Lockfile-only change; no package.json modification needed.

Advisory GHSA-qx2v-qp2m-jg93 is a moderate severity XSS via unescaped
</style> in the CSS stringifier output. postcss runs at build time only
and never ships in the Tauri binary, so practical exposure is nil — but
this clears the npm audit warning and the defenseur finding.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

maximus commented

2026-05-03 19:28:49 +00:00

Author

Owner

Verdict : APPROVE

Summary: Bump lockfile-only de postcss 8.5.6 -> 8.5.13 pour resoudre GHSA-qx2v-qp2m-jg93. Dependance transitive de vite (range ^8.5.3 accepte 8.5.13), build-time uniquement, aucune surface dexposition runtime sur le binaire Tauri livre.

Verifications

Aucun postcss.config.* ni reference dans src/, vite.config.ts, tailwind.config.* -> consommation purement transitive confirmee
Tailwind v4 utilise @tailwindcss/vite (lightningcss), pas postcss -> impact zero sur la chaine de build CSS
Diff lockfile = 1 seule entree (node_modules/postcss) + ajout cosmetique du champ license: MIT (fourni par npm registry)
Vite 6.4.2 declare postcss: ^8.5.3 -> 8.5.13 satisfait la contrainte semver, pas de break peer
Aucune migration SQL, aucune ligne de code applicatif touchee
CHANGELOG bilingue (FR + EN) sous ## [Unreleased] / ### Fixed + ### Corrige -> conforme a la regle projet
Conventional commit format respecte (fix(deps):)
Build + vitest verts selon PR body (227 fichiers, 3720 tests)
Precedent etabli : PR #43 (picomatch 4.0.3 -> 4.0.4)

Suggestion (non bloquante)

Lacceptance criterion Le prochain run defenseur-simpl-resultat ne contient plus le finding est attendu : a verifier au prochain run automatique du defenseur, sans rien a faire de plus avant le merge.

Reviewed via /pr-review by Claude Opus 4.7

## Verdict : APPROVE **Summary**: Bump lockfile-only de `postcss` 8.5.6 -> 8.5.13 pour resoudre GHSA-qx2v-qp2m-jg93. Dependance transitive de vite (range `^8.5.3` accepte 8.5.13), build-time uniquement, aucune surface dexposition runtime sur le binaire Tauri livre. ## Verifications - Aucun `postcss.config.*` ni reference dans `src/`, `vite.config.ts`, `tailwind.config.*` -> consommation purement transitive confirmee - Tailwind v4 utilise `@tailwindcss/vite` (lightningcss), pas postcss -> impact zero sur la chaine de build CSS - Diff lockfile = 1 seule entree (`node_modules/postcss`) + ajout cosmetique du champ `license: MIT` (fourni par npm registry) - Vite 6.4.2 declare `postcss: ^8.5.3` -> 8.5.13 satisfait la contrainte semver, pas de break peer - Aucune migration SQL, aucune ligne de code applicatif touchee - CHANGELOG bilingue (FR + EN) sous `## [Unreleased]` / `### Fixed` + `### Corrige` -> conforme a la regle projet - Conventional commit format respecte (`fix(deps):`) - Build + vitest verts selon PR body (227 fichiers, 3720 tests) - Precedent etabli : PR #43 (picomatch 4.0.3 -> 4.0.4) ## Suggestion (non bloquante) Lacceptance criterion `Le prochain run defenseur-simpl-resultat ne contient plus le finding` est attendu : a verifier au prochain run automatique du defenseur, sans rien a faire de plus avant le merge. --- _Reviewed via /pr-review by Claude Opus 4.7_