From 08cba377759be04dd94b6170c68446a787aa94c8 Mon Sep 17 00:00:00 2001 From: le king fu Date: Sun, 26 Apr 2026 15:37:19 -0400 Subject: [PATCH] fix(security): override postcss to ^8.5.10 Resolves GHSA-qx2v-qp2m-jg93 (PostCSS XSS via Unescaped in CSS Stringify Output) in the @expo/metro-config + tailwindcss build chain. Build-time only, not runtime-exploitable in RN, but cleared for audit hygiene. Defenseur scan post-override: 13/13 passed, 0 findings (the residual uuid cascade is suppressed via defenseurs allowlist for GHSA-w5hq-g745-h8pq). Co-Authored-By: Claude Opus 4.7 (1M context) --- package-lock.json | 8 ++++---- package.json | 3 ++- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index b2330d1..1538d22 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9323,9 +9323,9 @@ } }, "node_modules/postcss": { - "version": "8.4.49", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.49.tgz", - "integrity": "sha512-OCVPnIObs4N29kxTjzLfUryOkvZEq+pf8jTF0lg8E7uETuWHA+v7j3c/xJmiqpX450191LlmZfUKkXxkTry7nA==", + "version": "8.5.12", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.12.tgz", + "integrity": "sha512-W62t/Se6rA0Az3DfCL0AqJwXuKwBeYg6nOaIgzP+xZ7N5BFCI7DYi1qs6ygUYT6rvfi6t9k65UMLJC+PHZpDAA==", "funding": [ { "type": "opencollective", @@ -9342,7 +9342,7 @@ ], "license": "MIT", "dependencies": { - "nanoid": "^3.3.7", + "nanoid": "^3.3.11", "picocolors": "^1.1.1", "source-map-js": "^1.2.1" }, diff --git a/package.json b/package.json index 1e71233..bfafeb9 100644 --- a/package.json +++ b/package.json @@ -66,7 +66,8 @@ "overrides": { "esbuild": "^0.25.0", "@xmldom/xmldom": "^0.8.13", - "uuid": "^11.0.0" + "uuid": "^11.0.0", + "postcss": "^8.5.10" }, "private": true } -- 2.45.2