🚨 [security] Update tailwindcss 3.4.4 → 3.4.18 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ tailwindcss (3.4.4 → 3.4.18) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ postcss (8.4.38 → 8.5.6) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ glob (indirect, 7.1.6 → 10.4.5) · Repo · Changelog

Release Notes

10.3.0 (from changelog)

• Add --default -p flag to provide a default pattern

10.2.0 (from changelog)

• Add glob cli

10.1.0 (from changelog)

• Return '.' instead of the empty string '' when the current working directory is returned as a match.
• Add posix: true option to return / delimited paths, even on Windows.

10.0.0 (from changelog)

• No default exports, only named exports

9.3.3 (from changelog)

• Upgraded minimatch to v8, adding support for any degree of nested extglob patterns.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ is-core-module (indirect, 2.12.0 → 2.16.1) · Repo · Changelog

Release Notes

2.16.1 (from changelog)

Fixed

• [Fix] node:sqlite is available in node ^22.13 #17

2.16.0 (from changelog)

Commits

• [New] add node:sqlite 1ee94d2
• [Dev Deps] update auto-changelog, tape aa84aa3

2.15.1 (from changelog)

Commits

• [Tests] add process.getBuiltinModule tests 28c7791
• [Fix] test/mock_loader is no longer exposed as of v22.7 68b08b0
• [Tests] replace aud with npm audit 32f8060
• [Dev Deps] update mock-property f7d3c8f
• [Dev Deps] add missing peer dep eaee885

2.15.0 (from changelog)

Commits

• [New] add node:sea 2819fb3

2.14.0 (from changelog)

Commits

• [Dev Deps] update @ljharb/eslint-config, aud, mock-property, npmignore, tape 0e43200
• [meta] add missing engines.node 4ea3af8
• [New] add test/mock_loader e9fbd29
• [Deps] update hasown 57f1940

2.13.1 (from changelog)

Commits

• [Refactor] use hasown instead of has 0e52096
• [Dev Deps] update mock-property, tape 8736b35

2.13.0 (from changelog)

Commits

• [Dev Deps] update @ljharb/eslint-config, aud, semver, tape c75b263
• [New] node:test/reporters and wasi/node:wasi are in v18.17 d76cbf8

2.12.1 (from changelog)

Commits

• [Fix] test/reporters now requires the node: prefix as of v20.2 12183d0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jiti (indirect, 1.21.3 → 1.21.7) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ micromatch (indirect, 4.0.5 → 4.0.8) · Repo · Changelog

Security Advisories 🚨

🚨 Regular Expression Denial of Service (ReDoS) in micromatch

The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to #266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nanoid (indirect, 3.3.7 → 3.3.11) · Repo · Changelog

Security Advisories 🚨

🚨 Predictable results in nanoid generation when given non-integer values

When nanoid is called with a fractional value, there were a number of undesirable effects:

1. in browser and non-secure, the code infinite loops on while (size--)
2. in node, the value of poolOffset becomes fractional, causing calls to nanoid to return zeroes until the pool is next filled
3. if the first call in node is a fractional argument, the initial buffer allocation fails with an error

Version 3.3.8 and 5.0.9 are fixed.

Release Notes

3.3.11

• Fixed React Native support.

3.3.8 (from changelog)

• Fixed a way to break Nano ID by passing non-integer size (by @myndzi).

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ picocolors (indirect, 1.0.0 → 1.1.1) · Repo · Changelog

Release Notes

1.1.1

What's new?

• Moved TypeScript declarations to a d.ts file #82
• Reworked color detection algorithm to properly work with empty strings in NO_COLOR and FORCE_COLOR env variables #87
• Eliminated require() call to make the package compatible with some tools #87

1.1.0

What's new?

• Added bright color variants #55

1.0.1

What's new?

• Updated color detection mechanism to work properly on Vercel Edge Runtime #64
• Remove use of recursion to avoid possible stack overflow for very long inputs #56

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ postcss-load-config (indirect, 4.0.1 → 6.0.1) · Repo · Changelog

Release Notes

6.0.1 (from changelog)

Bug Fixes

• Fixed bundlers support (#262)

5.1.0 (from changelog)

Features

• Allow to use tsx for TypeScript support (#260)

5.0.3 (from changelog)

Bug Fixes

• Fixed update of ESM configs (#259)

5.0.2 (from changelog)

Bug Fixes

• Fixed __require name conflict (#257)

5.0.1 (from changelog)

Bug Fixes

• Fixed Windows support (#256)

4.0.2 (from changelog)

Bug Fixes

• src/index: added support for .cts files (#252)
• deps: updated lilconfig (#253)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ postcss-nested (indirect, 6.0.1 → 6.2.0) · Repo · Changelog

Release Notes

6.2.0

• Added @starting-style to bubbling at-rules.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ postcss-selector-parser (indirect, 6.0.11 → 6.1.2) · Repo · Changelog

Release Notes

6.1.2

6.1.2

• Fixed: erroneous trailing combinators in pseudos

6.1.1

6.1.1

• Fixed: improve typings of constructor helpers (#292)

6.1.0

6.1.0

• Feature: add sourceIndex to Selector nodes (#290)

6.0.16

6.0.16

• Fixed: add missing index argument to each/walk callback types (#289)

6.0.15

6.0.15

• Fixed: Node#prev and Node#next type for the first/last node

6.0.14

6.0.14

• Fixed: type definitions

6.0.13

6.0.13

• Fixed: throw on unexpected pipe symbols

6.0.12

6.0.12

• Fixed: clone arguments should be optional

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ resolve (indirect, 1.22.3 → 1.22.10) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ source-map-js (indirect, 1.2.0 → 1.2.1) · Repo · Changelog

Release Notes

1.2.1

• Fix TS2306 “not a module” errors in type definitions (#16) @andersk

• Ensure null source is respected (#26) @dragomirtitian

• Improve ts declarations to be null-safe (#27) @dragomirtitian

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sucrase (indirect, 3.32.0 → 3.35.0) · Repo · Changelog

Release Notes

3.35.0 (from changelog)

• Upgrade glob to fix a security vulnerability in the inflight package. (#822) (Patrick Nappa)
  • Note that the sucrase CLI no longer works in Node.js versions before 14.7.
    • If you use the sucrase CLI, you should pin to Sucrase 3.34.0 until you're able to upgrade Node.js to a supported version. Note that all Node.js versions before 18 are end-of-life.
    • If you don't use the sucrase CLI, you may need to silence errors related to package.json engines, e.g. yarn --ignore-engines.
  • This change is being released in a semver-minor release since it fixes a security vulnerability and the breaking change impact is expected to be small. See this PR comment for a rationale on the release strategy.

3.34.0 (from changelog)

• Add CLI options for all remaining Sucrase options, e.g. --disable-es-transforms for disableESTransforms. (<<-ArS, Alan Pierce) (#670, #812)
• Add SUCRASE_OPTIONS environment variable for configuring sucrase/register, sucrase-node, and any programmatic require hook usages. The value must be a valid JSON object of Sucrase options that will be merged with the usual options. (#813)

3.33.0 (from changelog)

• Add an option keepUnusedImports that disables all automatic import/export elision, equivalent to the TypeScript option verbatimModuleSyntax. (#811, #615) (Kotaro Chikuba, Alan Pierce)
• Add support for the await using proposal and the updated import attributes proposal. Both are preserved in the output code, not transformed. (#798)
• Fix some issues with TypeScript automatic export elision in export {...} from statements. (#806)
  • Type names from the current file are no longer removed.
  • When all exports are type exports, the entire statement is now removed.
• Fix bug where fn(x < y, x >= y) was incorrectly parsed as type arguments. (#798)
• Fix a few bugs in enableLegacyBabel5ModuleInterop: properly handle as default, and properly ignore type exports. (#804, #807) (三咲智子 Kevin Deng, Alan Pierce)
• Fix bug where parameters inside function types could be misinterpreted as declarations and result in imports being incorrectly marked as unused. (#809)
• Fix bug where import {} and export {} statements were removed with the TypeScript transform disabled. (#810)
• Make the transform behavior more forgiving when code accidentally has a return type annotation on a constructor. (#800)

Does any of this look wrong? Please let us know.

↗️ yaml (indirect, 2.2.2 → 2.8.1) · Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 brace-expansion (added, 2.0.2)

🆕 minimatch (added, 9.0.5)

🆕 lilconfig (added, 3.1.3)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)