Bump postcss, autoprefixer and postcss-cli in /website

[dependabot]

Bumps postcss, autoprefixer and postcss-cli. These dependencies needed to be updated together.
Updates postcss from 8.4.31 to 8.5.10

Release notes

Sourced from postcss's releases.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@​romainmenke during his work on Stylelint added Input#document in additional to Input#css.

root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"
</tr></table>

... (truncated)

Changelog

Sourced from postcss's changelog.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

• Added Input#document for sources like CSS-in-JS or HTML (by @​romainmenke).

8.4.49

• Fixed custom syntax without source.offset (by @​romainmenke).

... (truncated)

Commits

• 33b9790 Release 8.5.10 version
• 536c79e Escape </style> in CSS output (#2074)
• afa96b2 Update dependencies (#2073)
• effe88b Typo (#2072)
• 3ee79a2 Thread model (#2071)
• 2e0683d Create incident response docs (#2070)
• fe88ac2 Release 8.5.9 version
• c551632 Avoid RegExp when we can use simple JS
• 89a6b74 Move SECURITY.txt for docs folder to keep GitHub page cleaner
• 6ceb8a4 Create SECURITY.md
• Additional commits viewable in compare view

Updates autoprefixer from 9.8.5 to 10.5.0

Release notes

Sourced from autoprefixer's releases.

10.5.0 “Each Endeavouring, All Achieving”

• Added mask-position-x and mask-position-y support (by @​toporek).

10.4.27

• Removed development key from package.json.

10.4.26

• Reduced package size.

10.4.25

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

10.4.24

• Made Autoprefixer a little faster (by @​Cherry).

10.4.23

• Reduced dependencies (by @​hyperz111).

10.4.22

• Fixed stretch prefixes on new Can I Use database.
• Updated fraction.js.

10.4.21

• Fixed old -moz- prefix for :placeholder-shown (by @​Marukome0743).

10.4.20

• Fixed fit-content prefix for Firefox.

10.4.19

• Removed end value has mixed support, consider using flex-end warning since end/start now have good support.

10.4.18

• Fixed removing -webkit-box-orient on -webkit-line-clamp (@​Goodwine).

10.4.17

• Fixed user-select: contain prefixes.

10.4.16

• Improved performance (by @​romainmenke).
• Fixed docs (by @​coliff).

10.4.15

• Fixed ::backdrop prefixes (by @​yisibl).
• Fixed docs (by @​coliff).

10.4.14

• Improved startup time and reduced JS bundle size (by @​Knagis).

... (truncated)

Changelog

Sourced from autoprefixer's changelog.

10.5.0 “Each Endeavouring, All Achieving”

• Added mask-position-x and mask-position-y support (by @​toporek).

10.4.27

• Removed development key from package.json.

10.4.26

• Reduced package size.

10.4.25

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

10.4.24

• Made Autoprefixer a little faster (by @​Cherry).

10.4.23

• Reduced dependencies (by @​hyperz111).

10.4.22

• Fixed stretch prefixes on new Can I Use database.
• Updated fraction.js.

10.4.21

• Fixed old -moz- prefix for :placeholder-shown (by @​Marukome0743).

10.4.20

• Fixed fit-content prefix for Firefox.

10.4.19

• Removed end value has mixed support, consider using flex-end warning since end/start now have good support.

10.4.18

• Fixed removing -webkit-box-orient on -webkit-line-clamp (@​Goodwine).

10.4.17

• Fixed user-select: contain prefixes.

... (truncated)

Commits

• faf456a Release 10.5 version
• b841fc5 Update dependencies
• 47d6e68 Update email
• 45cfc08 Replace ESLint and Prettier to oxlint and oxfmt
• 7e3ec7d Add prefixing support for mask-position-x and mask-position-y (#1548)
• 360f2d9 Release 10.4.27 version
• ab5260c Update clean-publish
• 09e9dd1 Release 10.4.26 version
• ec75540 Ignore local patches
• 59601b8 Update c8 and clean-publish
• Additional commits viewable in compare view

Updates postcss-cli from 7.1.2 to 11.0.1

Release notes

Sourced from postcss-cli's releases.

8.0.0 / 2020-09-21

• BREAKING: Support postcss v8 (#344, #349)
• BREAKING: postcss is now a peerDependency, you must install it seperately (#344, #349)
• Upgrade dependencies (#340)

Changelog

Sourced from postcss-cli's changelog.

11.0.1 / 2025-03-12

• Update and minimize dependencies

11.0.0 / 2023-12-05

• BREAKING: Require Node.js v18+ (#464)
• Upgrade to postcss-load-config@5 for improved ESM & TS config support (#461, #462)

10.1.0 / 2022-11-29

• Allow running --watch mode in non-TTY contexts, like Docker (#448)
• Update dependencies

10.0.0 / 2022-06-29

• BREAKING: Drop Node 12 support (#438)
• Add support for ESM config files (#437)

9.1.0 / 2021-12-10

• Don't write to files if they're unchanged (#320, #417)

9.0.2 / 2021-11-04

• Switch to picocolors (#409)
• Remove test files from npm package

9.0.1 / 2021-09-28

• Actually exit with error when attempting to stdout in watch mode
• Remove bin/ from files in package.json

9.0.0 / 2021-09-24

• BREAKING: Require Node.js v12+
• BREAKING: Must specify full file path, including .js extension, when loading local plugins with --use (#401)
• BREAKING: Officially remove support for watching postcss config (was already broken in previous releases)
• Add support for dir-dependency messages (#383, #391)
• Update deps

8.3.1 / 2020-12-12

• Ensure paths are not interpreted as numbers (#360)
• Better errors for incorrect postcss version (#361, #362)

8.3.0 / 2020-11-17

• Exit on EOF/^D (#358)

... (truncated)

Commits

• 7bea180 11.0.1
• 0dc4eba Use eslint v9 + flat config (#490)
• 733ef42 chore(deps): update dependency sugarss to v5 (#483)
• 1363a65 Update dependency prettier to ~3.5.0 (#488)
• bd416f5 Update dependency uuid to v11 (#482)
• bfad16d Update dependency c8 to v10 (#480)
• b5d8f0e feat: replace globby with tinyglobby and remove get-stdin in favor of builtin...
• 5f9f92a Update dependency prettier to ~3.4.0 (#484)
• 0f52be7 Update dependency prettier to ~3.3.0 (#477)
• 528af4c Adding link to PostCSS (#472)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[Copilot]

Pull request overview

Updates the documentation website’s CSS processing toolchain by upgrading PostCSS, Autoprefixer, and the PostCSS CLI together in website/, primarily to keep the PostCSS ecosystem dependencies compatible and pick up upstream fixes.

Changes:

• Bump postcss from 8.4.31 to 8.5.10
• Bump autoprefixer from 9.8.5 to 10.5.0
• Bump postcss-cli from 7.1.2 to 11.0.1 and refresh transitive dependencies in package-lock.json

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
website/package.json	Updates direct devDependencies for the website’s PostCSS toolchain.
website/package-lock.json	Regenerates the lockfile to reflect the updated toolchain and transitive dependency tree.

Files not reviewed (1)

• website/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[friedrichg]

let's do that in a follow up PR