fix: Patch moderate severity XSS vulnerability in postcss (<8.5.10)

[Kokila-chandrakar]

Description

Fixes #4840

Resolves a moderate severity Cross-Site Scripting (XSS) vulnerability in postcss versions <8.5.10, where unescaped </style> tags in CSS stringify output could be exploited.

Changes

• Bumped postcss devDependency from ^8.5.9 to ^8.5.10
• Added overrides in package.json to enforce postcss >= 8.5.10 across the dependency tree
• Updated nested next/node_modules/postcss from 8.4.31 to 8.5.15 in package-lock.json

Why overrides?

Next.js includes its own internal copy of PostCSS (8.4.31), which was also affected. The overrides field ensures a patched version is used throughout the entire dependency tree.

Testing

• Verified npm audit reports no moderate/high PostCSS vulnerabilities
• Existing test suite remains unaffected (npm test)

Pillar

• 🎨 Pillar 1 — New Theme Design
• 📐 Pillar 2 — Geometric SVG Improvement
• 🕐 Pillar 3 — Timezone Logic Optimization
• 🛠️ Other (Bug fix, refactoring, docs)

Checklist before requesting a review:

• I have read the CONTRIBUTING.md file.
• I have tested these changes locally (localhost:3000/api/streak?user=YOUR_USERNAME).
• I have run npm run format and npm run lint locally and resolved all errors (CI will fail otherwise).
• My commits follow the Conventional Commits format (e.g., feat(themes): ..., fix(calculate): ...).
• I have updated README.md if I added a new theme or URL parameter.
• I have starred the repo.
• I have made sure that I have only one commit to merge in this PR.
• The SVG output matches the CommitPulse "premium quality" aesthetic standard (no raw elements, smooth animations, correct fonts).
• (Recommended) I joined the CommitPulse Discord community for contributor discussions, mentorship, and faster PR support.

[vercel]

@Kokila-chandrakar is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

🚨 Hey @Kokila-chandrakar, the CI Pipeline is failing on this PR and it has been marked as status:blocked.

Please fix the issues before this can be reviewed. Here's how:

1. Run checks locally before pushing:

npm run format:check   # Check Prettier formatting
npm run lint           # Run ESLint
npm run typecheck      # TypeScript type check
npm run test           # Run unit tests (Vitest)
npm run build          # Verify production build passes

2. Auto-fix common issues:

npm run format         # Auto-fix formatting with Prettier
npm run lint -- --fix  # Auto-fix lint errors where possible

3. Check the full failure log here:
👉 View CI Run

Once you push a fix and the CI passes, the status:blocked label will be removed automatically. 💪

[Aamod-Dev]

Great catch! Patching the PostCSS XSS vulnerability is critical for maintaining project security. Approving!

[Aamod-Dev]

Good work on this one. I reviewed the diff and it looks ready to go from my side.

Merging this looks safe. Approved!

[Aamod-Dev]

Thanks for the contribution. I went through the changes and the overall approach looks good, but there are a few issues that should be addressed before this can be merged. Most of the concerns are related to correctness and maintainability.

• There are merge conflicts with the base branch. Please resolve them to ensure existing functionality isn't broken.

Once these issues are addressed, I'll be happy to take another look. Thanks again for the contribution.

[Aamod-Dev]

Thanks for the contribution. It looks like there are merge conflicts with the base branch. Please rebase and resolve the conflicts so we can proceed with testing and merging. Thanks!

[Kokila-chandrakar]

Rebased and resolved all conflicts with upstream main. Ready for re-review. Thanks!

[Aamod-Dev]

Thanks for resolving the merge conflicts! Approving.

[github-actions]

🎉 Congratulations @Kokila-chandrakar! Your PR has been successfully merged. 🚀

Thank you for contributing to CommitPulse. Your work helps us build a better tool for the community.

⚠️ Important for GSSoC Contributors:
You are strictly advised to join our Discord Server as it is mandatory for all GSSoC participants. All important announcements, point claims, and community discussions happen there.

Keep building! 💻✨