From 98ae174b8b1b7c73456ecb41e470e269544ec994 Mon Sep 17 00:00:00 2001
From: Val Redchenko <lazyval@gmail.com>
Date: Mon, 11 May 2026 11:12:20 +0100
Subject: [PATCH] fix(deps): bump postcss 8.5.8 -> 8.5.14 (CVE-2026-41305)

Clears osv-scanner alert for GHSA-qx2v-qp2m-jg93. postcss is a
transitive dep via vite; the vulnerability is XSS via unescaped
</style> when re-stringifying user-submitted CSS - not exploitable
here (webui does not accept user CSS, postcss runs build-time only)
but bumping clears the alert.
---
 webui/package-lock.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/webui/package-lock.json b/webui/package-lock.json
index 3ecca94..18005a2 100644
--- a/webui/package-lock.json
+++ b/webui/package-lock.json
@@ -6012,9 +6012,9 @@
       }
     },
     "node_modules/postcss": {
-      "version": "8.5.8",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.8.tgz",
-      "integrity": "sha512-OW/rX8O/jXnm82Ey1k44pObPtdblfiuWnrd8X7GJ7emImCOstunGbXUpp7HdBrFQX6rJzn3sPT397Wp5aCwCHg==",
+      "version": "8.5.14",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.14.tgz",
+      "integrity": "sha512-SoSL4+OSEtR99LHFZQiJLkT59C5B1amGO1NzTwj7TT1qCUgUO6hxOvzkOYxD+vMrXBM3XJIKzokoERdqQq/Zmg==",
       "funding": [
         {
           "type": "opencollective",