Skip to content

fix: add postcss resolutions override to address CVE-2026-41305 #1191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
brendan-kellam wants to merge 3 commits into from
+5 −14
Closed

fix: add postcss resolutions override to address CVE-2026-41305 #1191

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8ee3d48
fix: add postcss resolutions override to address CVE-2026-41305
cursoragent May 9, 2026
9dc4296
docs: add CHANGELOG entry for CVE-2026-41305 fix
cursoragent May 9, 2026
41418dc
Merge branch 'main' into cursor/fix-SOU-995-d3b3
brendan-kellam May 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Upgraded `hono` to `^4.12.18` to address CVE-2026-44455, CVE-2026-44456, CVE-2026-44457, CVE-2026-44458. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186)
- Upgraded `ip-address` to `^10.2.0` to address CVE-2026-42338. [#1189](https://github.com/sourcebot-dev/sourcebot/pull/1189)
- Upgraded `fast-xml-builder` to `^1.2.0` to address CVE-2026-44664, CVE-2026-44665. [#1184](https://github.com/sourcebot-dev/sourcebot/pull/1184)
- Added `postcss` resolutions override to force all instances to `^8.5.10` to address CVE-2026-41305. [#1191](https://github.com/sourcebot-dev/sourcebot/pull/1191)
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use the required CVE changelog sentence format

Please rewrite Line 18 to match the repository’s mandated CVE-entry pattern (Upgraded ... to ... to address ...) for consistency with security release notes.

Suggested edit 
-- Added `postcss` resolutions override to force all instances to `^8.5.10` to address CVE-2026-41305. [`#1191`](https://github.com/sourcebot-dev/sourcebot/pull/1191)
+- Upgraded `postcss` to `^8.5.10` to address CVE-2026-41305. [`#1191`](https://github.com/sourcebot-dev/sourcebot/pull/1191)

As per coding guidelines, "CHANGELOG entry for CVE fixes should follow the format: Upgraded \` to `^x.y.z` to address CVE-A, CVE-B, .... [#]under the[Unreleased] → Fixed` section."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- Added `postcss` resolutions override to force all instances to `^8.5.10` to address CVE-2026-41305. [#1191](https://github.com/sourcebot-dev/sourcebot/pull/1191)
- Upgraded `postcss` to `^8.5.10` to address CVE-2026-41305. [`#1191`](https://github.com/sourcebot-dev/sourcebot/pull/1191)
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CHANGELOG.md` at line 18, Replace the current sentence about the postcss
resolutions override with the repository's CVE entry format: change the line to
"Upgraded `postcss` to `^8.5.10` to address CVE-2026-41305. [`#1191`]" and ensure
this entry remains under the [Unreleased] → Fixed section so it follows the
mandated changelog pattern.


### Changed
- Reduced the log verbosity of the worker by changing various log messages from info to debug. [#1179](https://github.com/sourcebot-dev/sourcebot/pull/1179)
Expand Down
3 changes: 2 additions & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@
"smol-toml@npm:^1.6.0": "^1.6.1",
"teeny-request@npm:^10.0.0": "^10.1.2",
"uuid": "^14.0.0",
"fast-uri@npm:^3.0.1": "^3.1.2"
"fast-uri@npm:^3.0.1": "^3.1.2",
"postcss@npm:8.4.31": "^8.5.10"
}
}
15 changes: 2 additions & 13 deletions yarn.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17172,7 +17172,7 @@ __metadata:
languageName: node
linkType: hard

"nanoid@npm:^3.3.11, nanoid@npm:^3.3.6":
"nanoid@npm:^3.3.11":
version: 3.3.11
resolution: "nanoid@npm:3.3.11"
bin:
Expand Down Expand Up @@ -18369,17 +18369,6 @@ __metadata:
languageName: node
linkType: hard

"postcss@npm:8.4.31":
version: 8.4.31
resolution: "postcss@npm:8.4.31"
dependencies:
nanoid: "npm:^3.3.6"
picocolors: "npm:^1.0.0"
source-map-js: "npm:^1.0.2"
checksum: 10c0/748b82e6e5fc34034dcf2ae88ea3d11fd09f69b6c50ecdd3b4a875cfc7cdca435c958b211e2cb52355422ab6fccb7d8f2f2923161d7a1b281029e4a913d59acf
languageName: node
linkType: hard

"postcss@npm:^8.4.47, postcss@npm:^8.5.10, postcss@npm:^8.5.8":
version: 8.5.12
resolution: "postcss@npm:8.5.12"
Expand Down Expand Up @@ -20572,7 +20561,7 @@ __metadata:
languageName: node
linkType: hard

"source-map-js@npm:^1.0.2, source-map-js@npm:^1.2.1":
"source-map-js@npm:^1.2.1":
version: 1.2.1
resolution: "source-map-js@npm:1.2.1"
checksum: 10c0/7bda1fc4c197e3c6ff17de1b8b2c20e60af81b63a52cb32ec5a5d67a20a7d42651e2cb34ebe93833c5a2a084377e17455854fee3e21e7925c64a51b6a52b0faf
Expand Down
Loading