Update dependency postcss to v8.4.38

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
postcss (source)	8.4.8 -> 8.4.38

---

Release Notes

postcss/postcss (postcss)

v8.4.38

Compare Source

• Fixed endIndex: 0 in errors and warnings (by @​romainmenke).

v8.4.37

Compare Source

• Fixed original.column are not numbers error in another case.

v8.4.36

Compare Source

• Fixed original.column are not numbers error on broken previous source map.

v8.4.35

Compare Source

• Avoid ! in node.parent.nodes type.
• Allow to pass undefined to node adding method to simplify types.

v8.4.34

Compare Source

• Fixed AtRule#nodes type (by Tim Weißenfels).
• Cleaned up code (by Dmitry Kirillov).

v8.4.33

Compare Source

• Fixed NoWorkResult behavior difference with normal mode (by Romain Menke).
• Fixed NoWorkResult usage conditions (by @​ahmdammarr).

v8.4.32

Compare Source

• Fixed postcss().process() types (by Andrew Ferreira).

v8.4.31

Compare Source

• Fixed \r parsing to fix CVE-2023-44270.

v8.4.30

Compare Source

• Improved source map performance (by Romain Menke).

v8.4.29

Compare Source

• Fixed Node#source.offset (by Ido Rosenthal).
• Fixed docs (by Christian Oliff).

v8.4.28

Compare Source

• Fixed Root.source.end for better source map (by Romain Menke).
• Fixed Result.root types when process() has no parser.

v8.4.27

Compare Source

• Fixed Container clone methods types.

v8.4.26

Compare Source

• Fixed clone methods types.

v8.4.25

Compare Source

• Improve stringify performance (by Romain Menke).
• Fixed docs (by @​vikaskaliramna07).

v8.4.24

Compare Source

• Fixed Plugin types.

v8.4.23

Compare Source

• Fixed warnings in TypeDoc.

v8.4.22

Compare Source

• Fixed TypeScript support with node16 (by Remco Haszing).

v8.4.21

Compare Source

• Fixed Input#error types (by Aleks Hudochenkov).

v8.4.20

Compare Source

• Fixed source map generation for childless at-rules like @layer.

v8.4.19

Compare Source

• Fixed whitespace preserving after AST transformations (by Romain Menke).

v8.4.18

Compare Source

• Fixed an error on absolute: true with empty sourceContent (by Rene Haas).

v8.4.17

Compare Source

• Fixed Node.before() unexpected behavior (by Romain Menke).
• Added TOC to docs (by Mikhail Dedov).

v8.4.16

Compare Source

• Fixed Root AST migration.

v8.4.15

Compare Source

• Fixed AST normalization after using custom parser with old PostCSS AST.

v8.4.14

Compare Source

• Print “old plugin API” warning only if plugin was used (by @​zardoy).

v8.4.13

Compare Source

• Fixed append() error after using .parent (by Jordan Pittman).

v8.4.12

Compare Source

• Fixed package.funding to have same value between all PostCSS packages.

v8.4.11

Compare Source

• Fixed Declaration#raws.value type.

v8.4.10

Compare Source

• Fixed package.funding URL format.

v8.4.9

Compare Source

• Fixed package.funding (by Álvaro Mondéjar).

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher

🚮 Removed packages: npm/postcss@8.4.8, npm/prop-types@15.8.1, npm/react-alice-carousel@2.8.0, npm/react-datepicker@4.25.0, npm/react-dom@17.0.2, npm/react-modal@3.16.1, npm/react-pro-sidebar@1.1.0, npm/react-router-dom@6.0.2, npm/react-router-hash-link@2.4.3, npm/react-scripts@5.0.0, npm/react-select@5.7.7, npm/react@17.0.2, npm/tailwindcss@3.0.18, npm/typescript@4.9.5, npm/web-vitals@2.1.4

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Install scripts	npm/core-js@3.36.1	Install script: postinstall Source: node -e "try{require('./postinstall')}catch(e){}"	orphan: npm/core-js@3.36.1

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/core-js@3.36.1