[Snyk] Fix for 1 vulnerabilities

[MHxGH-ServiceAccount]

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• packages/next-css/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Regular Expression Denial of Service (ReDoS) SNYK-JS-AJV-15274295	157

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

---

Note

Medium Risk
Dependency major-version bumps in the webpack CSS pipeline may introduce breaking config/behavior changes at build time; runtime code is otherwise unchanged.

Overview
Updates packages/next-css/package.json to upgrade css-loader from ^2.1.0 to ^6.0.0 and postcss-loader from ^3.0.0 to ^5.0.0 (Snyk-driven vulnerability fix).

^{Written by Cursor Bugbot for commit 22d0c5e. This will update automatically on new commits. Configure here.}

[MHxGH-ServiceAccount]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[MHxGH-ServiceAccount]

This update includes major version upgrades for css-loader and postcss-loader which introduce significant breaking changes and require configuration updates.

postcss-loader: 3.0.0 → 5.0.0 (High Risk)

This upgrade requires structural changes to your webpack configuration and dependency management.

Mandatory Changes:

• Configuration Object: All PostCSS-specific options (like plugins, parser, syntax) must be moved inside a postcssOptions object within the loader's options. Failure to do so will result in a schema validation error.
• Peer Dependency: postcss is now a peerDependency and must be explicitly installed in your project.
• Webpack Version: postcss-loader v5 requires webpack v5.

Example Migration:

Before (v3.0.0):

{   
  loader: 'postcss-loader',   
  options: {   
    plugins: [require('autoprefixer')]   
  }   
}  

After (v5.0.0):

{   
  loader: 'postcss-loader',   
  options: {   
    postcssOptions: {   
      plugins: [require('autoprefixer')]   
    }   
  }   
}  

css-loader: 2.1.1 → 6.0.0 (High Risk)

This upgrade spans multiple major versions and aligns with webpack v5's asset handling features.

Mandatory Changes:

• Asset Modules: The upgrade to v6 is designed to work with webpack 5's built-in Asset Modules. The use of older loaders like file-loader and url-loader for assets referenced in CSS is deprecated. Continuing to use them may lead to duplicated assets unless you explicitly set the asset's module type to javascript/auto.
• URL Resolution: The loader is stricter in resolving url() paths. Builds may fail for paths that were previously ignored or resolved incorrectly.

Recommendation: Both upgrades are high-risk and require careful migration. Address the postcss-loader configuration changes first, as they are a common point of failure. Then, audit your asset handling (url() in CSS) to align with webpack 5's Asset Modules, replacing file-loader and url-loader where possible. Thorough testing is required to ensure styles and assets are processed correctly.

Source: Release notes

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[cursor]

Cursor Bugbot has reviewed your changes and found 3 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Major version bumps require webpack 5, project uses webpack 4

High Severity

css-loader@^6.0.0 and postcss-loader@^5.0.0 both require webpack 5 as a minimum, but the devDependencies still specify webpack: "^4.29.5". This will cause immediate build failures — postcss-loader v5 calls this.getOptions() which doesn't exist in webpack 4's loader context, resulting in a TypeError at runtime.

Additional Locations (2)

• packages/next-css/package.json#L12-L13
• packages/next-css/package.json#L15-L16

 

[cursor]

css-loader v6 removed top-level exportOnlyLocals option

High Severity

Upgrading css-loader to v6 breaks the existing configuration in css-loader-config.js, which passes exportOnlyLocals as a top-level option. This option was removed in css-loader v4+ and moved to modules.exportOnlyLocals. Server-side CSS module rendering will silently fail to work correctly because the option is now ignored.

 

[cursor]

postcss-loader v5 removed config option structure

High Severity

Upgrading postcss-loader to v5 breaks the existing configuration in css-loader-config.js, which passes a config option with a path property. In postcss-loader v5, the config option was removed and replaced with postcssOptions. PostCSS configuration file discovery will silently stop working.