fix: add postcss resolutions override to address CVE-2026-41305

[brendan-kellam]

Fixes SOU-995

Summary

This PR adds a Yarn resolutions override to force all PostCSS instances (including the transitive dependency from Next.js) to use version ^8.5.10, which addresses CVE-2026-41305.

Background

CVE-2026-41305 is an XSS vulnerability in PostCSS versions prior to 8.5.10. The vulnerability allows unescaped </style> sequences in CSS AST stringification, which can break out of style contexts and enable XSS attacks.

PR #1155 previously upgraded the direct PostCSS devDependency in packages/web/package.json from ^8 to ^8.5.10. However, Next.js 16.2.3 has a pinned dependency on PostCSS 8.4.31 (vulnerable), which was not addressed by the direct dependency upgrade.

Changes

• Added "postcss@npm:8.4.31": "^8.5.10" to the resolutions section in the root package.json
• Updated yarn.lock to reflect the new resolution (all PostCSS instances now resolve to 8.5.12)

Verification

Before fix:

$ yarn why postcss --recursive | grep "8.4.31"
   │     └─ postcss@npm:8.4.31 (via npm:8.4.31)
   │  └─ postcss@npm:8.4.31 (via npm:8.4.31)

After fix:

$ yarn why postcss --recursive | grep "next@npm:16.2.3" -A1
   │  └─ next@npm:16.2.3 [02298] (via npm:^16.2.3 [02298])
   │     └─ postcss@npm:8.5.12 (via npm:^8.5.10)
   ├─ next@npm:16.2.3 [7c8a9] (via npm:^16.2.3 [7c8a9])
   │  └─ postcss@npm:8.5.12 (via npm:^8.5.10)

All PostCSS instances now use 8.5.12 (>= 8.5.10, the patched version).

References

• CVE-2026-41305
• GitHub Advisory GHSA-qx2v-qp2m-jg93
• PostCSS 8.5.10 Release

Linear Issue: SOU-995

  

Summary by CodeRabbit

• Bug Fixes
  • PostCSS dependency updated to version 8.5.10.

[coderabbitai]

Walkthrough

This PR adds a postcss version resolution override to force version ^8.5.10 in the root package.json resolutions map, replacing an earlier pin, with a corresponding changelog entry documenting the change.

Changes

PostCSS Resolution Override

Layer / File(s)	Summary
Dependency Resolution Override package.json	Root resolutions map adds postcss@npm:8.4.31 override to force ^8.5.10.
Changelog Documentation CHANGELOG.md	Unreleased Fixed section documents the postcss resolutions override and references PR #1191.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• sourcebot-dev/sourcebot#1155: Both PRs adjust PostCSS versioning to 8.5.10 across different package manifests with coordinated changelog entries.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately describes the main change: adding a postcss resolutions override to fix a security vulnerability (CVE-2026-41305).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/fix-SOU-995-d3b3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	2066
Resolved (non-standard)	11
Unresolved	0
Strong copyleft	0
Weak copyleft	38

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (11)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.23	UNKNOWN	MIT	GitHub repo aidenybai/react-grab LICENSE file
@react-grab/cli	0.1.29	UNKNOWN	MIT	GitHub repo aidenybai/react-grab LICENSE file
@react-grab/mcp	0.1.29	UNKNOWN	MIT	GitHub repo aidenybai/react-grab (monorepo, packages/mcp) LICENSE file
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	npm registry API (license field on package metadata)
element-source	0.0.3	UNKNOWN	MIT	GitHub repo aidenybai/element-source LICENSE file
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	npm registry API (license field on package metadata)
map-stream	0.1.0	UNKNOWN	MIT	npm registry API (license field on package metadata)
memorystream	0.3.1	UNKNOWN	MIT	npm registry API (legacy licenses array: type=MIT)
pause-stream	0.0.11	["MIT","Apache2"]	MIT	extracted from license array on npm registry (MIT element)
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	GitHub repo PostHog/posthog-js LICENSE file (Apache License 2.0)
valid-url	1.0.9	UNKNOWN	MIT	GitHub repo ogt/valid-url LICENSE file

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CHANGELOG.md`:
- Line 18: Replace the current sentence about the postcss resolutions override
with the repository's CVE entry format: change the line to "Upgraded `postcss`
to `^8.5.10` to address CVE-2026-41305. [`#1191`]" and ensure this entry remains
under the [Unreleased] → Fixed section so it follows the mandated changelog
pattern.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9b3f5d56-64f9-498b-aeed-b36b2b8ad2d2

📥 Commits

Reviewing files that changed from the base of the PR and between ad7f9f6 and 41418dc.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• CHANGELOG.md
• package.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use the required CVE changelog sentence format

Please rewrite Line 18 to match the repository’s mandated CVE-entry pattern (Upgraded ... to ... to address ...) for consistency with security release notes.

Suggested edit

-- Added `postcss` resolutions override to force all instances to `^8.5.10` to address CVE-2026-41305. [`#1191`](https://github.com/sourcebot-dev/sourcebot/pull/1191)
+- Upgraded `postcss` to `^8.5.10` to address CVE-2026-41305. [`#1191`](https://github.com/sourcebot-dev/sourcebot/pull/1191)

As per coding guidelines, "CHANGELOG entry for CVE fixes should follow the format: Upgraded \` to `^x.y.z` to address CVE-A, CVE-B, .... [#]under the[Unreleased] → Fixed` section."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- Added `postcss` resolutions override to force all instances to `^8.5.10` to address CVE-2026-41305. [#1191](https://github.com/sourcebot-dev/sourcebot/pull/1191)
	- Upgraded `postcss` to `^8.5.10` to address CVE-2026-41305. [`#1191`](https://github.com/sourcebot-dev/sourcebot/pull/1191)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CHANGELOG.md` at line 18, Replace the current sentence about the postcss
resolutions override with the repository's CVE entry format: change the line to
"Upgraded `postcss` to `^8.5.10` to address CVE-2026-41305. [`#1191`]" and ensure
this entry remains under the [Unreleased] → Fixed section so it follows the
mandated changelog pattern.