Skip to content

fix: patch postcss transitive dep to >=8.5.10 (CVE-2026-41305)#572

Merged
maorun merged 2 commits intomainfrom
copilot/fix-next-16-2-4-vulnerability
Apr 26, 2026
Merged

fix: patch postcss transitive dep to >=8.5.10 (CVE-2026-41305)#572
maorun merged 2 commits intomainfrom
copilot/fix-next-16-2-4-vulnerability

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 25, 2026
edited
Loading

next pulls in postcss@8.4.31 as a transitive dependency, which is vulnerable to XSS via unescaped </style> sequences in CSS stringification (CVE-2026-41305, CVSS 6.1). The fix is available in postcss@8.5.10.

Changes

  • package.json: Added npm overrides to force postcss to >=8.5.10
  • package-lock.json: Resolved postcss to 8.5.10; npm audit now reports 0 vulnerabilities
"overrides": {
  "postcss": ">=8.5.10"
}

Copilot AI linked an issue Apr 25, 2026 that may be closed by this pull request
next-16.2.4.tgz: 1 vulnerabilities (highest severity is: 6.1) #571
Closed
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 25, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
code-stats Ready Ready Preview, Comment Apr 25, 2026 7:01pm

Copilot AI changed the title [WIP] Fix vulnerabilities in next-16.2.4.tgz library fix: patch postcss transitive dep to >=8.5.10 (CVE-2026-41305) Apr 25, 2026
Copilot AI requested a review from maorun April 25, 2026 19:02
@maorun maorun marked this pull request as ready for review April 26, 2026 05:50
Copilot AI review requested due to automatic review settings April 26, 2026 05:50
@maorun maorun merged commit d66c614 into main Apr 26, 2026
8 checks passed
@maorun maorun deleted the copilot/fix-next-16-2-4-vulnerability branch April 26, 2026 05:50
Copilot AI reviewed Apr 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR mitigates CVE-2026-41305 by forcing the vulnerable transitive postcss@8.4.31 dependency (pulled via next) to resolve to a patched version.

Changes:

  • Added an npm overrides entry to require postcss >=8.5.10.
  • Updated package-lock.json to resolve postcss to 8.5.10 (and update its transitive requirements accordingly).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Adds npm overrides to force postcss to a patched version.
package-lock.json Updates the lockfile to resolve postcss to 8.5.10 and refresh related metadata/dependencies.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
"eslint": "^8.57.0 || ^9.0.0 || ^10.0.0"
},
"overrides": {
"postcss": ">=8.5.10"
Copy link

Copilot AI Apr 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using an open-ended override range (">=8.5.10") can allow future major releases (e.g., 9.x) to be installed, which may be incompatible with Next’s expected PostCSS major version and can introduce unexpected breakages. Consider constraining the override to the intended major line (e.g., "8.5.10" or "^8.5.10" / ">=8.5.10 <9").

Suggested change
"postcss": ">=8.5.10"
"postcss": "^8.5.10"

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@maorun maorun Awaiting requested review from maorun

Assignees

@maorun maorun

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

next-16.2.4.tgz: 1 vulnerabilities (highest severity is: 6.1)

3 participants

@maorun