chore(deps): bump postcss to 8.5.10 (XSS via unescaped </style>)

[coderdan]

Summary

• Bumps `postcss` to `8.5.10` to patch alert #102: XSS via unescaped `</style>` in CSS stringify output. Vulnerable range: `< 8.5.10`.

Lockfile state

Two postcss versions were present, both vulnerable:

• `postcss@8.4.31` — pinned exactly by `next@15.5.10` (`dependencies: { postcss: '8.4.31' }`)
• `postcss@8.5.6` — transitive peer of `tsup`, `vite`, `postcss-load-config`

Both replaced with `postcss@8.5.10`. Since the two entries have identical deps (`nanoid`, `picocolors`, `source-map-js`), they deduplicate into a single resolution.

On overriding next's exact pin

Next.js declares `postcss: '8.4.31'` as an exact dep (not a range). The root override `"postcss": ">=8.5.10"` forces 8.5.10 in the lockfile despite the exact pin. postcss 8.5.x is API-compatible with 8.4.x (8.5.0 added container-query support; no breaks), and Next.js's postcss usage is internal to its build pipeline.

Changes

• Override added: `"postcss": ">=8.5.10"`.
• Surgical `pnpm-lock.yaml` edit (`postcss@8.4.31` and `postcss@8.5.6` → `postcss@8.5.10` everywhere, including peer-hash strings in tsup/vite/postcss-load-config snapshot keys; integrity from `npm view postcss@8.5.10 dist.integrity`; duplicate entries collapsed).

Test plan

• `pnpm install --frozen-lockfile` from clean `node_modules` validates.
• `postcss@8.5.10` confirmed installed.
• Watch CI on this PR.
• After merge, alert chore(protect): release npm with updated readme #102 auto-closes.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 18f5ae3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Warning

Rate limit exceeded

@coderdan has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 15 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: aee6f8eb-771e-4521-9541-4a927cc9595a

📥 Commits

Reviewing files that changed from the base of the PR and between 301c044 and 18f5ae3.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dan/bump-postcss-8.5.10

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}