fix: upgrade postcss to resolve CVE-2026-41305 by aaronmars · Pull Request #1316 · appfolio/react-gears

aaronmars · 2026-04-24T18:35:56Z

Summary

Upgrades postcss from 8.4.38 to 8.5.10 via yarn up -R postcss
Resolves dependabot alert #160 — XSS via unescaped </style> in PostCSS CSS stringify output (GHSA-qx2v-qp2m-jg93)
Lockfile-only change, no source code modifications

Test plan

Only yarn.lock changed — no runtime impact
CI passes

Resolves dependabot alert #160 — XSS via unescaped </style> in PostCSS CSS stringify output.

github-actions · 2026-04-24T18:39:55Z

Released prerelease version 8.19.3-fee-fix-postcss-dependabot-alert-7fb6d48.0.
You may now run npm install @appfolio/react-gears@fee-fix-postcss-dependabot-alert

fix: upgrade postcss 8.4.38 to 8.5.10 (CVE-2026-41305)

7ec1cd2

Resolves dependabot alert #160 — XSS via unescaped </style> in PostCSS CSS stringify output.

aaronmars requested a review from a team as a code owner April 24, 2026 18:35

aaronmars temporarily deployed to ci April 24, 2026 18:36 — with GitHub Actions Inactive

davidacevedo approved these changes Apr 24, 2026

View reviewed changes

JeremyRH approved these changes Apr 24, 2026

View reviewed changes

aaronmars merged commit 3856ad1 into master Apr 24, 2026
5 checks passed

aaronmars deleted the fee-fix-postcss-dependabot-alert branch April 24, 2026 18:40

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: upgrade postcss to resolve CVE-2026-41305#1316

fix: upgrade postcss to resolve CVE-2026-41305#1316
aaronmars merged 1 commit into
masterfrom
fee-fix-postcss-dependabot-alert

aaronmars commented Apr 24, 2026

Uh oh!

github-actions Bot commented Apr 24, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

aaronmars commented Apr 24, 2026

Summary

Test plan

Uh oh!

github-actions Bot commented Apr 24, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants