fix(deps): remove transitive postcss vulnerabilities#1740
Open
edda wants to merge 1 commit into
Open
Conversation
|
Contributor
|
Contributor
There was a problem hiding this comment.
Pull request overview
Removes unused dev tooling (and related config) that was pulling vulnerable transitive postcss versions into the workspace, aligning the repo with the Tailwind 4 + @tailwindcss/vite toolchain (Lightning CSS) and eliminating now-dead SCSS and Tailwind ESLint plugin setup.
Changes:
- Removed
autoprefixerfrom app devDependencies and eliminatedeslint-plugin-tailwindcssusage/config where it was still referenced. - Removed
node-sass-glob-importerand the dead SCSS preprocessor configuration fromui-componentsStorybook. - Regenerated
pnpm-lock.yamlto drop the transitive vulnerablepostcsschains and related packages.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| pnpm-lock.yaml | Lockfile cleanup reflecting removal of unused tooling and elimination of vulnerable transitive postcss versions. |
| packages/ui-components/package.json | Drops node-sass-glob-importer from devDependencies. |
| packages/ui-components/.storybook/main.js | Removes SCSS preprocessor configuration and switches to ESM import for vite-plugin-glob. |
| apps/template/package.json | Removes unused eslint-plugin-tailwindcss from devDependencies. |
| apps/heureka/package.json | Removes unused autoprefixer and eslint-plugin-tailwindcss from devDependencies. |
| apps/heureka/eslint.config.mjs | Removes Tailwind plugin rule overrides now that the plugin is no longer used. |
| apps/carbon/package.json | Removes unused autoprefixer and eslint-plugin-tailwindcss from devDependencies. |
| apps/carbon/eslint.config.mjs | Removes Tailwind ESLint plugin import/registration/extends and its rule configuration. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
Drop unused dev tooling that pulled in vulnerable postcss versions: - node-sass-glob-importer (ui-components) — no .scss files exist; the Storybook scss preprocessor block was dead config - autoprefixer (carbon, heureka) — Tailwind 4 + @tailwindcss/vite handles vendor prefixing via Lightning CSS - eslint-plugin-tailwindcss (carbon, heureka, template) — limited Tailwind 4 support; rules were already off in heureka and unused in template Removes 64 packages and the postcss@6.0.23, 8.5.10, and 8.5.14 chains. Only postcss@8.5.15 (via vite) remains, which is above all Dependabot patched versions. Signed-off-by: Esther Schmitz <esther.schmitz@sap.com>
edda
force-pushed
the
edda/remove-postcss-transitive-vulns
branch
from
6fcdb3e to
c6e2354
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves three Dependabot alerts (#89, #215, #216) on
postcssby removing unused dev tooling that pulled vulnerable versions into the lockfile. With Tailwind 4 +@tailwindcss/vitewe no longer need a direct postcss/autoprefixer setup, and a few other dev deps were leftover from earlier toolchains.node-sass-glob-importer(ui-components) — no.scssfiles exist anywhere inapps/orpackages/; the Storybook scss preprocessor block was dead config. Removing it kills thepostcss@6.0.23andpostcss@8.5.14chains.autoprefixer(carbon, heureka) — neither app has a postcss config nor references autoprefixer in their vite configs. Tailwind 4 handles vendor prefixing via Lightning CSS.eslint-plugin-tailwindcss(carbon, heureka, template) — limited Tailwind 4 support. Rules were already turned off in heureka, unused in template, and only actively configured in carbon (where we'd rather drop the plugin entirely than ship rules that don't understand v4).After this change,
pnpm why postcss -rshows onlypostcss@8.5.15(via vite), which is above all Dependabot patched versions (8.2.13, 8.4.31, 8.5.10).Net diff: −64 packages, ~600 lines off the lockfile.
Test plan
pnpm lint— 19/19 packagespnpm typecheck— 23/23 packagespnpm test— 24/24 packages (1308 ui-components tests)pnpm build-storybook(ui-components) — built clean