mirror of
https://github.com/thelounge/thelounge.git
synced 2026-06-20 19:38:39 -04:00
3273cde3fb
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [postcss](https://postcss.org/) ([source](https://redirect.github.com/postcss/postcss)) | [`8.4.47` → `8.5.10`](https://renovatebot.com/diffs/npm/postcss/8.4.47/8.5.10) |  |  | --- ### PostCSS has XSS via Unescaped </style> in its CSS Stringify Output [CVE-2026-41305](https://nvd.nist.gov/vuln/detail/CVE-2026-41305) / [GHSA-qx2v-qp2m-jg93](https://redirect.github.com/advisories/GHSA-qx2v-qp2m-jg93) <details> <summary>More information</summary> #### Details ##### PostCSS: XSS via Unescaped `</style>` in CSS Stringify Output ##### Summary PostCSS v8.5.5 (latest) does not escape `</style>` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `<style>` tags, `</style>` in CSS values breaks out of the style context, enabling XSS. ##### Proof of Concept ```javascript const postcss = require('postcss'); // Parse user CSS and re-stringify for page embedding const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }'; const ast = postcss.parse(userCSS); const output = ast.toResult().css; const html = `<style>${output}</style>`; console.log(html); // <style>body { content: "</style><script>alert(1)</script><style>"; }</style> // // Browser: </style> closes the style tag, <script> executes ``` **Tested output** (Node.js v22, postcss v8.5.5): ``` Input: body { content: "</style><script>alert(1)</script><style>"; } Output: body { content: "</style><script>alert(1)</script><style>"; } Contains </style>: true ``` ##### Impact Impact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website. ##### Suggested Fix Escape `</style` in all stringified output values: ```javascript output = output.replace(/<\/(style)/gi, '<\\/$1'); ``` ##### Credits Discovered and reported by [Sunil Kumar](https://tharvid.in) ([@​TharVid](https://redirect.github.com/TharVid)) #### Severity - CVSS Score: 6.1 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N` #### References - [https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93](https://redirect.github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93) - [https://nvd.nist.gov/vuln/detail/CVE-2026-41305](https://nvd.nist.gov/vuln/detail/CVE-2026-41305) - [https://github.com/postcss/postcss/releases/tag/8.5.10](https://redirect.github.com/postcss/postcss/releases/tag/8.5.10) - [https://github.com/advisories/GHSA-qx2v-qp2m-jg93](https://redirect.github.com/advisories/GHSA-qx2v-qp2m-jg93) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-qx2v-qp2m-jg93) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>postcss/postcss (postcss)</summary> ### [`v8.5.10`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8510) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.9...8.5.10) - Fixed XSS via unescaped `</style>` in non-bundler cases (by [@​TharVid](https://redirect.github.com/TharVid)). ### [`v8.5.9`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#859) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.8...8.5.9) - Speed up source map encoding paring in case of the error. ### [`v8.5.8`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#858) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.7...8.5.8) - Fixed `Processor#version`. ### [`v8.5.7`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#857) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.6...8.5.7) - Improved source map annotation cleaning performance (by CodeAnt AI). ### [`v8.5.6`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#856) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.5...8.5.6) - Fixed `ContainerWithChildren` type discriminating (by [@​Goodwine](https://redirect.github.com/Goodwine)). ### [`v8.5.5`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#855) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.4...8.5.5) - Fixed `package.json`→`exports` compatibility with some tools (by [@​JounQin](https://redirect.github.com/JounQin)). ### [`v8.5.4`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#854) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.3...8.5.4) - Fixed Parcel compatibility issue (by [@​git-sumitchaudhary](https://redirect.github.com/git-sumitchaudhary)). ### [`v8.5.3`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#853) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.2...8.5.3) - Added more details to `Unknown word` error (by [@​hiepxanh](https://redirect.github.com/hiepxanh)). - Fixed types (by [@​romainmenke](https://redirect.github.com/romainmenke)). - Fixed docs (by [@​catnipan](https://redirect.github.com/catnipan)). ### [`v8.5.2`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#852) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.1...8.5.2) - Fixed end position of rules with semicolon (by [@​romainmenke](https://redirect.github.com/romainmenke)). ### [`v8.5.1`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#851) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.0...8.5.1) - Fixed backwards compatibility for complex cases (by [@​romainmenke](https://redirect.github.com/romainmenke)). ### [`v8.5.0`](https://redirect.github.com/postcss/postcss/releases/tag/8.5.0): 8.5 “Duke Alloces” [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.4.49...8.5.0) <img src="https://github.com/user-attachments/assets/6ef654a0-d675-4ba0-a670-e28ef27062f5" align="right" width="200" height="200" alt="President Alloces seal"> PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS. [@​romainmenke](https://redirect.github.com/romainmenke) during [his work](https://redirect.github.com/postcss/postcss/issues/1995) on [Stylelint](https://stylelint.io) added `Input#document` in additional to `Input#css`. ```js root.source.input.document //=> "<p>Hello</p> // <style> // p { // color: green; // } // </style>" root.source.input.css //=> "p { // color: green; // }" ``` #### Thanks to Sponsors This release was possible thanks to our community. If your company wants to support the sustainability of front-end infrastructure or wants to give some love to PostCSS, you can join our supporters by: - [**Tidelift**](https://tidelift.com/) with a Spotify-like subscription model supporting all projects from your lock file. - Direct donations at [**GitHub Sponsors**](https://redirect.github.com/sponsors/ai) or [**Open Collective**](https://opencollective.com/postcss#section-contributors). ### [`v8.4.49`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8449) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.4.48...8.4.49) - Fixed custom syntax without `source.offset` (by [@​romainmenke](https://redirect.github.com/romainmenke)). ### [`v8.4.48`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8448) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.4.47...8.4.48) - Fixed position calculation in error/warnings methods (by [@​romainmenke](https://redirect.github.com/romainmenke)). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/thelounge/thelounge). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTguMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbIlR5cGU6IFNlY3VyaXR5Il19--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Modern web IRC client designed for self-hosting
Website • Docs • Demo • Docker
Overview
- Modern features brought to IRC. Push notifications, link previews, new message markers, and more bring IRC to the 21st century.
- Always connected. Remains connected to IRC servers while you are offline.
- Cross platform. It doesn't matter what OS you use, it just works wherever Node.js runs.
- Responsive interface. The client works smoothly on every desktop, smartphone and tablet.
- Synchronized experience. Always resume where you left off no matter what device.
To learn more about configuration, usage and features of The Lounge, take a look at the website.
The Lounge is the official and community-managed fork of Shout, by Mattias Erming.
Installation and usage
The Lounge requires latest Node.js LTS version or more recent.
The Yarn package manager is also recommended.
If you want to install with npm, --unsafe-perm is required for a correct install.
Running stable releases
Please refer to the install and upgrade documentation on our website for all available installation methods.
Running from source
The following commands install and run the development version of The Lounge:
git clone https://github.com/thelounge/thelounge.git
cd thelounge
yarn install
NODE_ENV=production yarn build
yarn start
When installed like this, thelounge executable is not created. Use node index <command> to run commands.
⚠️ While it is the most recent codebase, this is not production-ready! Run at your own risk. It is also not recommended to run this as root.
Development setup
Simply follow the instructions to run The Lounge from source above, on your own fork.
Before submitting any change, make sure to:
- Read the Contributing instructions
- Run
yarn testto execute linters and the test suite- Run
yarn format:prettierif linting fails
- Run
- Run
yarn build:clientif you change or add anything inclient/jsorclient/components- The built files will be output to
public/by webpack
- The built files will be output to
- Run
yarn build:serverif you change anything inserver/- The built files will be output to
dist/by tsc
- The built files will be output to
yarn devcan be used to start The Lounge with hot module reloading
To ensure that you don't commit files that fail the linting, you can install a pre-commit git hook.
Execute yarn githooks-install to do so.