From 6365e94213173a276803be3c649504f2b3552ceb Mon Sep 17 00:00:00 2001
From: Hongming Wang <hongmingwang.rabbit@users.noreply.github.com>
Date: Mon, 27 Apr 2026 05:59:02 -0700
Subject: [PATCH] =?UTF-8?q?deps(canvas):=20bump=20postcss=208.5.9=20?=
 =?UTF-8?q?=E2=86=92=208.5.12=20(GHSA-qx2v-qp2m-jg93)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes the medium-severity dependabot alert on canvas/package-lock.json.
Upstream advisory GHSA-qx2v-qp2m-jg93: "PostCSS has XSS via Unescaped
</style> in its CSS Stringify Output" — fixed in 8.5.10. We pull
8.5.12 since it's already published in the ^8.5.10 line.

package.json's caret range bumps from ^8.4.0 to ^8.5.12 — wider floor
prevents a future install from re-pinning below the safe version. The
8.x major-line constraint is preserved, so no breaking-change risk.

Verification: full canvas vitest suite passes (1148/1148 across
78 files).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 canvas/package-lock.json | 9 +++++----
 canvas/package.json      | 2 +-
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/canvas/package-lock.json b/canvas/package-lock.json
index f6ebc164..7d22466a 100644
--- a/canvas/package-lock.json
+++ b/canvas/package-lock.json
@@ -36,7 +36,7 @@
         "@vitest/coverage-v8": "^4.1.5",
         "autoprefixer": "^10.4.0",
         "jsdom": "^25.0.0",
-        "postcss": "^8.4.0",
+        "postcss": "^8.5.12",
         "tailwindcss": "^3.4.0",
         "typescript": "^5.7.0",
         "vitest": "^4.1.2"
@@ -5423,9 +5423,9 @@
       }
     },
     "node_modules/postcss": {
-      "version": "8.5.9",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.9.tgz",
-      "integrity": "sha512-7a70Nsot+EMX9fFU3064K/kdHWZqGVY+BADLyXc8Dfv+mTLLVl6JzJpPaCZ2kQL9gIJvKXSLMHhqdRRjwQeFtw==",
+      "version": "8.5.12",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.12.tgz",
+      "integrity": "sha512-W62t/Se6rA0Az3DfCL0AqJwXuKwBeYg6nOaIgzP+xZ7N5BFCI7DYi1qs6ygUYT6rvfi6t9k65UMLJC+PHZpDAA==",
       "funding": [
         {
           "type": "opencollective",
@@ -6805,6 +6805,7 @@
       "integrity": "sha512-9Xx1v3/ih3m9hN+SbfkUyy0JAs72ap3r7joc87XL6jwF0jGg6mFBvQ1SrwaX+h8BlkX6Hz9shdd1uo6AF+ZGpg==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@vitest/expect": "4.1.5",
         "@vitest/mocker": "4.1.5",
diff --git a/canvas/package.json b/canvas/package.json
index bbc908fc..73d6fcd0 100644
--- a/canvas/package.json
+++ b/canvas/package.json
@@ -39,7 +39,7 @@
     "@vitest/coverage-v8": "^4.1.5",
     "autoprefixer": "^10.4.0",
     "jsdom": "^25.0.0",
-    "postcss": "^8.4.0",
+    "postcss": "^8.5.12",
     "tailwindcss": "^3.4.0",
     "typescript": "^5.7.0",
     "vitest": "^4.1.2"