deps(canvas): bump postcss 8.5.9 → 8.5.12 (GHSA-qx2v-qp2m-jg93)

Closes the medium-severity dependabot alert on canvas/package-lock.json. Upstream advisory GHSA-qx2v-qp2m-jg93: "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output" — fixed in 8.5.10. We pull 8.5.12 since it's already published in the ^8.5.10 line. package.json's caret range bumps from ^8.4.0 to ^8.5.12 — wider floor prevents a future install from re-pinning below the safe version. The 8.x major-line constraint is preserved, so no breaking-change risk. Verification: full canvas vitest suite passes (1148/1148 across 78 files). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 05:59:02 -07:00 · 2026-04-27 05:59:02 -07:00 · 6365e94213
commit 6365e94213
parent 1a2ddb4539
2 changed files with 6 additions and 5 deletions
--- a/canvas/package-lock.json
+++ b/canvas/package-lock.json
@ -36,7 +36,7 @@
        "@vitest/coverage-v8": "^4.1.5",
        "autoprefixer": "^10.4.0",
        "jsdom": "^25.0.0",
-        "postcss": "^8.4.0",
+        "postcss": "^8.5.12",
        "tailwindcss": "^3.4.0",
        "typescript": "^5.7.0",
        "vitest": "^4.1.2"
@ -5423,9 +5423,9 @@
      }
    },
    "node_modules/postcss": {
-      "version": "8.5.9",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.9.tgz",
-      "integrity": "sha512-7a70Nsot+EMX9fFU3064K/kdHWZqGVY+BADLyXc8Dfv+mTLLVl6JzJpPaCZ2kQL9gIJvKXSLMHhqdRRjwQeFtw==",
+      "version": "8.5.12",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.12.tgz",
+      "integrity": "sha512-W62t/Se6rA0Az3DfCL0AqJwXuKwBeYg6nOaIgzP+xZ7N5BFCI7DYi1qs6ygUYT6rvfi6t9k65UMLJC+PHZpDAA==",
      "funding": [
        {
          "type": "opencollective",
@ -6805,6 +6805,7 @@
      "integrity": "sha512-9Xx1v3/ih3m9hN+SbfkUyy0JAs72ap3r7joc87XL6jwF0jGg6mFBvQ1SrwaX+h8BlkX6Hz9shdd1uo6AF+ZGpg==",
      "dev": true,
      "license": "MIT",
+      "peer": true,
      "dependencies": {
        "@vitest/expect": "4.1.5",
        "@vitest/mocker": "4.1.5",
--- a/canvas/package.json
+++ b/canvas/package.json
@ -39,7 +39,7 @@
    "@vitest/coverage-v8": "^4.1.5",
    "autoprefixer": "^10.4.0",
    "jsdom": "^25.0.0",
-    "postcss": "^8.4.0",
+    "postcss": "^8.5.12",
    "tailwindcss": "^3.4.0",
    "typescript": "^5.7.0",
    "vitest": "^4.1.2"