Bump postcss from 8.4.31 to 8.5.8

[dependabot]

Bumps postcss from 8.4.31 to 8.5.8.

Release notes

Sourced from postcss's releases.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@​romainmenke during his work on Stylelint added Input#document in additional to Input#css.

root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"

Thanks to Sponsors

This release was possible thanks to our community.

... (truncated)

Changelog

Sourced from postcss's changelog.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

• Added Input#document for sources like CSS-in-JS or HTML (by @​romainmenke).

8.4.49

• Fixed custom syntax without source.offset (by @​romainmenke).

8.4.48

• Fixed position calculation in error/warnings methods (by @​romainmenke).

8.4.47

• Removed debug code.

8.4.46

• Fixed Cannot read properties of undefined (reading 'before').

8.4.45

• Removed unnecessary fix which could lead to infinite loop.

8.4.44

• Another way to fix markClean is not a function error.

8.4.43

• Fixed markClean is not a function error.

... (truncated)

Commits

• 65de537 Release 8.5.8 version
• b2c6d97 Run git hook register
• 0ae0a49 Update Processor#version
• 6ee9f14 Release 8.5.7 version
• 3fbc951 Fix uvu Node.js 25 support
• 52db53e Update dependencies
• 497daef Speed up source map annotation cleaning by moving from RegExp
• 41e739a Remove banner
• 1329142 chore: speed up space-only string check in lib/parser.js (#2064)
• 23beff9 Update dependencies
• Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[changeset-bot]

⚠️ No Changeset found

Latest commit: f56f641

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​jsdom@​21.1.6
	@​types/​react-dom@​18.2.17
	@​react-navigation/​bottom-tabs@​7.2.1
	@​react-navigation/​native@​7.0.15
	@​types/​applepayjs@​14.0.9
	@​web-std/​file@​1.1.0
	@​types/​googlepay@​0.7.10
	@​types/​jest@​28.1.8
	@​types/​react@​18.3.18
	del-cli@​5.1.0
	crc-32@​1.2.2
	@​types/​node@​24.10.10
	credit-card-type@​9.1.0
	card-validator@​8.1.1
	concurrently@​8.2.2
	@​vitejs/​plugin-basic-ssl@​2.1.4
	@​rollup/​plugin-node-resolve@​16.0.0
	@​rollup/​plugin-typescript@​12.1.2
	asn1js@​3.0.6
	asn1js@​3.0.7
	@​swc/​core@​1.4.11
	@​vitejs/​plugin-react@​4.7.0
	@​peculiar/​webcrypto@​1.5.0
	@​testing-library/​react-native@​13.2.0
	@​playwright/​test@​1.57.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @react-native/debugger-frontend is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: pnpm-lock.yaml → npm/@react-native/debugger-frontend@0.76.9 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-native/debugger-frontend@0.76.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm caniuse-lite under CC-BY-4.0 License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (npm metadata) License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/package.json) License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/LICENSE) From: pnpm-lock.yaml → npm/@babel/core@7.29.0 → npm/caniuse-lite@1.0.30001695 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001695. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm caniuse-lite under CC-BY-4.0 License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (npm metadata) License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/package.json) License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/LICENSE) From: pnpm-lock.yaml → npm/caniuse-lite@1.0.30001777 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001777. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[matt-evervault]

Dependabot review — postcss ^8.4.47 → ^8.5.8

Effective version delta

The PR title says "8.4.31 → 8.5.8", but the master catalog was already at ^8.4.47 and the lockfile had 8.5.6 resolved. So the actual installed delta is 8.5.6 → 8.5.8. The catalog spec changes from ^8.4.47 to ^8.5.8.

Usage in this repo

postcss is used in two places, both indirectly via postcss-preset-env:

• packages/inputs/postcss.config.js — postcss-preset-env with stage: 1, nesting-rules: true, autoprefixer flexbox tweak. Picked up by Vite for packages/inputs/src/app/styles.css.
• packages/ui-components/postcss.config.js — postcss-preset-env with stage: 2, nesting-rules: true. Picked up by Vite for packages/ui-components/src/index.css and the GooglePay CSS module.

There is no direct use of the postcss JS API anywhere in the repo (no import postcss, no Processor/Root/Input calls). It is exclusively a build-time CSS transform driven by postcss-load-config/Vite. packages/inputs declares it as a direct devDependency; packages/ui-components pulls it in transitively through postcss-preset-env.

Changelog review (8.4.31 → 8.5.8)

Every release in this range is a bug-fix or type-fix; no breaking changes:

• 8.5 "Duke Alloces" — additive only: new Input#document for CSS-in-JS / HTML sources. Not used by postcss-preset-env.
• 8.5.1–8.5.8 — backwards-compat fixes, end-position fix for rules with semicolons, Unknown word error detail, package.json#exports fix for tools, Parcel compat, ContainerWithChildren type discriminator, source-map annotation cleanup perf, Processor#version fix.
• 8.4.32–8.4.49 — type fixes, markClean / NoWorkResult / original.column / endIndex fixes, parser robustness on long minified files, removal of internal debug code.

Notable: 8.4.31 was the CVE-2023-44270 fix (\r parsing). We are already past that on master; this bump keeps us safely above it.

No suspicious commits, no security regressions, no API surface removals, no perf regressions called out.

Build verification

• pnpm install --frozen-lockfile ✓
• pnpm run build (full workspace) ✓ exit 0
• CSS artifacts produced for inputs, ui-components, and 3ds.
• Built inputs and ui-components on both master (postcss 8.5.6) and this branch (8.5.8) — output CSS is byte-identical with the same content-hashed filenames (index-CpGG9b9s.css 11358 B; index-BjCpdfux.css 2509 B). No behavioural change at build output level.

Verdict

✅ Safe to merge. No code changes required; nothing pushed to this branch. Pre-existing NodeJS.Timeout TS warnings in packages/react-native-v2 are unrelated to this PR.

---

Generated by Claude Code