build(deps): bump tailwindcss from 4.1.8 to 4.1.11

[dependabot]

Bumps tailwindcss from 4.1.8 to 4.1.11.

Release notes

Sourced from tailwindcss's releases.

v4.1.11

Fixed

• Add heuristic to skip candidate migrations inside emit(…) (#18330)
• Extract candidates with variants in Clojure/ClojureScript keywords (#18338)
• Document --watch=always in the CLI's usage (#18337)
• Add support for Vite 7 to @tailwindcss/vite (#18384)

v4.1.10

Fixed

• Fix incorrectly generated CSS when using percentages in arbitrary values with calc (e.g. w-[calc(100%-var(--offset))]) (#18289)

v4.1.9

Fixed

• Correctly parse custom properties with strings containing semicolons (#18251)
• Upgrade: Migrate arbitrary modifiers without percentage signs to bare values (e.g. /[0.16] → /16) (#18184)
• Upgrade: Migrate CSS variable shorthands where fallback value contains function call (#18184)
• Upgrade: Migrate negative arbitrary values to negative bare values (e.g. mb-[-32rem] → -mb-128) (#18212)
• Upgrade: Do not migrate blur in wire:model.blur (#18216)
• Don't add spaces around CSS dashed idents when formatting math expressions (#18220)

Changelog

Sourced from tailwindcss's changelog.

[4.1.11] - 2025-06-26

Fixed

• Add heuristic to skip candidate migrations inside emit(…) (#18330)
• Extract candidates with variants in Clojure/ClojureScript keywords (#18338)
• Document --watch=always in the CLI's usage (#18337)
• Add support for Vite 7 to @tailwindcss/vite (#18384)

[4.1.10] - 2025-06-11

Fixed

• Fix incorrectly generated CSS when using percentages in arbitrary values with calc (e.g. w-[calc(100%-var(--offset))]) (#18289)

[4.1.9] - 2025-06-11

Fixed

• Correctly parse custom properties with strings containing semicolons (#18251)
• Upgrade: Migrate arbitrary modifiers without percentage signs to bare values (e.g. /[0.16] → /16) (#18184)
• Upgrade: Migrate CSS variable shorthands where fallback value contains function call (#18184)
• Upgrade: Migrate negative arbitrary values to negative bare values (e.g. mb-[-32rem] → -mb-128) (#18212)
• Upgrade: Do not migrate blur in wire:model.blur (#18216)
• Don't add spaces around CSS dashed idents when formatting math expressions (#18220)

Commits

• b24457a Prepare 4.1.11 (#18397)
• aa85931 feat: add Vite 7 support to the @​tailwindcss/vite plugin (#18384)
• f0e2f5b Fix: Correct typo in comment (#18361)
• d06bbb8 Prepare v4.1.10 (#18290)
• ddb0bef Fix missing space around - when using % regression (#18289)
• b88371a Prepare v4.1.9 (#18285)
• aa817fb fix: don't break CSS keywords when formatting math expressions (#18220)
• bea843c CSS Parser: Handle string with semi-colon in custom properties. (#18251)
• 8bfbac5 docs: fix typo in container.ts comment ("a the" -> "the") (#18223)
• See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
motion update causing potential layout/animation issues	Medium	Open the mobile navigation and observe the animation.	The update to motion from 12.16.0 to 12.19.1 might have changed the behavior of layoutScroll, potentially leading to unexpected animation behavior or layout issues in the mobile navigation.
mermaid update causing rendering issues	Medium	Render a complex mermaid diagram.	The update to mermaid from 11.6.0 to 11.7.0 might have changed the way diagrams are rendered, leading to diagrams not rendering correctly or at all.

_{Comments? Email us.}

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Potential Mermaid syntax validation error	Medium	Use a previously valid Mermaid diagram.	The update to the mermaid library might introduce stricter syntax requirements, causing the mermaid.parse call to throw errors for previously valid diagrams in src/mdx/mermaid.tsx. This would result in diagrams not rendering and displaying an error message.

_{Comments? Email us.}

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Potential Cross-Site Scripting (XSS) vulnerability in Mermaid diagram rendering	Medium	Inject malicious JavaScript code into a Mermaid diagram. For example, a sequence diagram with a callback arrow containing JavaScript:

sequenceDiagram
    participant A as Alice
    participant B as Bob
    A->>B: Hello Bob
    B-->>A: Hello Alice
    B-->>A: callback: <img src=x onerror=alert("XSS")>
```|The `MermaidRenderer` component uses the `mermaid.parse()` method to validate the Mermaid diagram syntax before rendering it. However, the `parse` method itself might not be sufficient to sanitize the diagram content and prevent XSS attacks. If the `mermaid.render()` method then renders the diagram without proper sanitization, it could execute arbitrary JavaScript code injected into the diagram. While the code attempts to remove style and class definitions, it doesn't account for other potential injection points within the diagram syntax (e.g., labels, tooltips, or callbacks).

 The `parse` method is intended for syntax validation and may not remove potentially malicious code. The subsequent `render` call could then interpret and execute this code, leading to XSS.

 The component should implement more robust sanitization to remove any potentially malicious code from the Mermaid diagram before rendering it. This could involve using a dedicated sanitization library or implementing custom sanitization logic tailored to the Mermaid diagram syntax.

<sub>Comments? [Email us](mailto:support@jazzberry.ai).</sub>

Loading

[dependabot]

Superseded by #70.