Bump postcss, postcss-focus, postcss-loader, postcss-reporter and postcss-simple-vars

[dependabot]

Bumps postcss to 8.5.15 and updates ancestor dependencies postcss, postcss-focus, postcss-loader, postcss-reporter and postcss-simple-vars. These dependencies need to be updated together.

Updates postcss from 5.2.18 to 8.5.15

Release notes

Sourced from postcss's releases.

8.5.15

• Fixed declaration parsing performance (by @​homanp).

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

... (truncated)

Changelog

Sourced from postcss's changelog.

8.5.15

• Fixed declaration parsing performance (by @​homanp).

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

... (truncated)

Commits

• See full diff in compare view

Updates postcss-focus from 1.0.0 to 7.0.0

Changelog

Sourced from postcss-focus's changelog.

Change Log

This project adheres to Semantic Versioning.

7.0

• Moved to rule splitting to avoid ignoring unknown rule (by Anders Søgaard).
• Added splitRules option for old behavior (by Anders Søgaard).
• Removed Node.js 10, 14, and 16 support.

6.0

• Moved to :focus-visible (by Eduard Aksamitov).
• Added oldFocus option to support the old focus (by Eduard Aksamitov).

5.0.1

• Added funding links.

5.0

• Moved to PostCSS 8.
• Moved postcss to peerDependencies.

4.0

• Use PostCSS 7.
• Remove Node.js 4 support.

3.0

• Do not process if there is a :focus selector already (by Vitalii Rizo).

2.0

• Use PostCSS 6.0.

1.0

• Use PostCSS 5.0 API.
• Do not add spaces for compressed styles.

0.1.1

• Support PostCSS Plugin Guidelines.

0.1

• Initial release.

Commits

• 03285f3 Release 7.0 version
• 30dbdd7 Clean up code
• cb807a9 Clean up tests
• b65ebd3 Fix package description
• 9a99568 Run tests in parallel
• 2655382 Update dependencies
• 9740d22 Remove old Node.js support
• 70ca20e Move to pnpm 8
• 4cc660f Move to Node.js 20
• cc4da18 Lock pnpm on CI
• Additional commits viewable in compare view

Updates postcss-loader from 3.0.0 to 8.2.1

Release notes

Sourced from postcss-loader's releases.

v8.2.1

8.2.1 (2026-02-15)

Bug Fixes

• update peer dependency for @​rspack/core v2 (#717) (a3ed7e2)

v8.2.0

8.2.0 (2025-09-01)

Features

• update jiti from v1 to v2 (9c74974)

v8.1.1

8.1.1 (2024-02-28)

Bug Fixes

• respect default when loading postcss esm configs (52d8050)

v8.1.0

8.1.0 (2024-01-30)

Features

• add @rspack/core as an optional peer dependency (#679) (512e4c3)

v8.0.0

8.0.0 (2024-01-16)

⚠ BREAKING CHANGES

• minimum supported Node.js version is 18.12.0 (#677) (8dd0315)

v7.3.4

7.3.4 (2023-12-27)

Bug Fixes

• do not crash if pkg.(d|devD)ependencies unset (#667) (8ef0c7e)

v7.3.3

7.3.3 (2023-06-10)

... (truncated)

Changelog

Sourced from postcss-loader's changelog.

8.2.1 (2026-02-15)

Bug Fixes

• update peer dependency for @​rspack/core v2 (#717) (a3ed7e2)

8.2.0 (2025-09-01)

Features

• update jiti from v1 to v2 (9c74974)

8.1.1 (2024-02-28)

Bug Fixes

• respect default when loading postcss esm configs (52d8050)

8.1.0 (2024-01-30)

Features

• add @rspack/core as an optional peer dependency (#679) (512e4c3)

8.0.0 (2024-01-16)

⚠ BREAKING CHANGES

• minimum supported Node.js version is 18.12.0 (#677) (8dd0315)

7.3.4 (2023-12-27)

Bug Fixes

• do not crash if pkg.(d|devD)ependencies unset (#667) (8ef0c7e)

7.3.3 (2023-06-10)

Bug Fixes

• perf: avoid using klona for postcss options (#658) (e754c3f)
• bug with loading configurations after updating cosmiconfig to version 8.2 (684d265)

... (truncated)

Commits

• 583677e chore(release): 8.2.1
• a3ed7e2 fix: update peer dependency for @​rspack/core v2 (#717)
• c984ff4 test: fix (#715)
• cc01d2b ci: fix
• d4faa34 docs: update contributing
• b1e4fa5 chore: correct link (#713)
• d990168 chore: migration to main org and branch (#712)
• 522a07d chore(release): 8.2.0
• 9c74974 feat: update jiti from v1 to v2
• 5a781e5 chore: update github actions/checkout from v4 to v5 (#709)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by evilebottnawi, a new releaser for postcss-loader since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates postcss-reporter from 1.4.1 to 7.1.0

Changelog

Sourced from postcss-reporter's changelog.

Changelog

7.1

• Added better error message support (by Stéphane Goetz).

7.0.5

• Reduced dependencies (by @​onigoetz).

7.0.4

• Replaced nanocolors with picocolors.
• Reduced package size.

7.0.3

• Replaced colorette with nanocolors.

7.0.2

• Reduced dependencies (by @​ludofischer).

7.0.1

• Moved to PostCSS 8.1.
• Added funding links.

7.0.0

• Moved to PostCSS 8.
• Moved postcss to peerDependencies.

6.0.1

• Fix support for messages without text (by @​nodaguti).

6.0.0

• Upgrade to PostCSS 7.
• Drop support for Node 4.

5.0.0

• Move PostCSS from peerDependencies to dependencies.
• Drop support for Node 0.12.

4.0.0

• Upgrade to PostCSS v6. (If you still use PostCSS v5, stick with v3 until you can upgrade your PostCSS.)

... (truncated)

Commits

• 4145438 Prepare 7.1.0
• 0abeb49 Update funding in package.json
• 978feee Update dependencies
• 7109853 Should also report errors by default (#75)
• af4f833 Fix job name and update action
• 02b3f38 Update CI
• 48566ae Bump postcss from 8.4.5 to 8.4.31 (#74)
• c533483 Fix Node.js 12 CI support
• 0f9cd79 Add funding option
• 100813c Prepare 7.0.5
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ai, a new releaser for postcss-reporter since your current version.

Updates postcss-simple-vars from 3.1.0 to 7.0.1

Changelog

Sourced from postcss-simple-vars's changelog.

7.0.1

• Fixed types (by @​Kaciras).

7.0

• Added escape sequences support (by @​FelixZY).
• Removed Node.js 12 support.
• Removed Node.js 10 support.

6.0.3

• Fixed compatibility with @define-mixin (by Sam Pullman).

6.0.2

• Fixed compatibility with postcss-mixins.

6.0.1

• Fixed PostCSS 8.1 compatability.
• Added funding links.

6.0

• Moved to PostCSS 8.
• Moved postcss to peerDependencies.

5.0.2

• Add keep option (by Mikhail Novikov).

5.0.1

• Remove test files from npm package.

5.0

• Use PostCSS 7 (by Douglas Duteil).
• Remove Node.js 4 support.

4.1

• Pass all variables to result.messages (by Carl Hopf).

4.0

• Use PostCSS 6.0 API.

3.1

• Add TypeScript definitions (by Paolo Roth).

3.0

• Comment variables now must have special <<$(syntax)>>.
• Add nested variables support like $(color$(idx)).

2.0

• Support variables inside comments (by Vince Speelman).

1.2.0

• Add onVariables option (by Duncan Beevers).

... (truncated)

Commits

• f9b9661 Release 7.0.1 version
• e71464f Update dependencies
• ea9b351 Add Node.js 19 to CI
• 4e51a4b make parameter & variables property optional. (#120)
• 1126e31 Release 7.0 version
• 505b5ff Clean up code
• 9c6e25e Update dev practices
• 65ca9ec 117: Support backslash sequences and unicode transformation (#118)
• aaa29b9 Bump jsdom from 16.4.0 to 16.7.0 (#116)
• 4fce22b Bump semver-regex from 3.1.3 to 3.1.4 (#115)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[semgrep-code-auth0-extensions-1]

High severity vulnerability introduced by a package you're using:
Line 9922 lists a dependency (terser) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

terser versions before 4.8.1, >= 5.0.0 before 5.14.2 are vulnerable to Inefficient Regular Expression Complexity.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 4.8.1 at package-lock.json.

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}

[semgrep-code-auth0-extensions-1]

High severity vulnerability introduced by a package you're using:
Line 5201 lists a dependency (get-func-name) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

Affected version of get-func-name is vulnerable to Uncontrolled Resource Consumption / Inefficient Regular Expression Complexity. The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 2.0.1 at package-lock.json.

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}

[semgrep-code-auth0-extensions-1]

Critical severity vulnerability may affect your project—review required:
Line 1094 lists a dependency (@babel/preset-env) with a known Critical severity vulnerability.

ℹ️ Why this matters

Affected versions of @babel/traverse and babel-traverse are vulnerable to Incomplete List of Disallowed Inputs / Incorrect Comparison. Compiling untrusted code with Babel using plugins that invoke the internal path.evaluate() or path.evaluateTruthy() methods (for example @babel/plugin-transform-runtime, @babel/preset-env with useBuiltIns, or any polyfill‐provider plugin) allows a maliciously crafted AST to execute arbitrary code on the build machine during compilation.

References: GHSA, CVE

To resolve this comment:
Check if you use Babel to compile untrusted JavaScript.

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}

[semgrep-code-auth0-extensions-1]

Critical severity vulnerability may affect your project—review required:
Line 968 lists a dependency (@babel/plugin-transform-runtime) with a known Critical severity vulnerability.

ℹ️ Why this matters

Affected versions of @babel/traverse and babel-traverse are vulnerable to Incomplete List of Disallowed Inputs / Incorrect Comparison. Compiling untrusted code with Babel using plugins that invoke the internal path.evaluate() or path.evaluateTruthy() methods (for example @babel/plugin-transform-runtime, @babel/preset-env with useBuiltIns, or any polyfill‐provider plugin) allows a maliciously crafted AST to execute arbitrary code on the build machine during compilation.

References: GHSA, CVE

To resolve this comment:
Check if you use Babel to compile untrusted JavaScript.

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}

[semgrep-code-auth0-extensions-1]

Critical severity vulnerability may affect your project—review required:
Line 1231 lists a dependency (@babel/traverse) with a known Critical severity vulnerability.

ℹ️ Why this matters

Affected versions of @babel/traverse and babel-traverse are vulnerable to Incomplete List of Disallowed Inputs / Incorrect Comparison. Compiling untrusted code with Babel using plugins that invoke the internal path.evaluate() or path.evaluateTruthy() methods (for example @babel/plugin-transform-runtime, @babel/preset-env with useBuiltIns, or any polyfill‐provider plugin) allows a maliciously crafted AST to execute arbitrary code on the build machine during compilation.

References: GHSA, CVE

To resolve this comment:
Check if you use Babel to compile untrusted JavaScript.

• If you're affected, upgrade this dependency to at least version 7.23.2 at package-lock.json.
• If you're not affected, comment /fp we don't use this [condition]

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}