Skip to content

#9022 Refactor: PostCSS line return parsing error #9023

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 2 commits into
base: master
Choose a base branch
from
Open

#9022 Refactor: PostCSS line return parsing error #9023

Copilot wants to merge 2 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Jan 24, 2026
edited
Loading

How the feature works? / How did you fix the issue?

  • Problem: Vulnerable PostCSS versions mishandle carriage-return-delimited comments, letting commented content leak into parsed CSS.
  • Dependency bump: Pin postcss to 8.5.6 via devDependency and override to ensure all workspaces resolve a safe version.
  • Lock refresh: Regenerated lockfile entries to align with the upgraded PostCSS resolution.

Example change:

{
  "devDependencies": {
    "postcss": "^8.5.6"
  },
  "overrides": {
    "nth-check": "^2.1.1",
    "postcss": "^8.5.6"
  }
}

Check list

  • unit-tests written
  • e2e-tests written
  • documentation updated
  • PR name follows the pattern #1234 – issue name
  • branch name doesn't contain '#'
  • PR is linked with the issue
  • base branch (master or release/xx) is correct
  • task status changed to "Code review"
  • reviewers are notified about the pull request
Original prompt

This section details on the original issue you should resolve

<issue_title>Refactor: PostCSS line return parsing error</issue_title>
<issue_description>An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.

Solution: Update postcss package to latest version</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@AlexeyGirin
chore: fix package.json trailing comma
bd35f7c 
Co-authored-by: AlexeyGirin <26869421+AlexeyGirin@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix PostCSS line return parsing error in linters Update PostCSS dependency to address comment parsing vulnerability Jan 24, 2026
Copilot AI requested a review from AlexeyGirin January 24, 2026 16:52
@AlexeyGirin AlexeyGirin marked this pull request as ready for review January 24, 2026 16:53
@AlexeyGirin AlexeyGirin changed the title Update PostCSS dependency to address comment parsing vulnerability #9022 Refactor: PostCSS line return parsing error Jan 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AlexeyGirin AlexeyGirin Awaiting requested review from AlexeyGirin

@NataliaLoginova NataliaLoginova Awaiting requested review from NataliaLoginova

@svvald svvald Awaiting requested review from svvald

@Zhirnoff Zhirnoff Awaiting requested review from Zhirnoff

At least 1 approving review is required to merge this pull request.

Assignees

@AlexeyGirin AlexeyGirin

Copilot code review Copilot

Labels

Fixed by ChatGPT5 Ready for approve

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Refactor: PostCSS line return parsing error

2 participants

@AlexeyGirin