Skip to content

build(deps-dev): bump @tailwindcss/postcss from 4.3.2 to 4.3.3#795

Open
dependabot[bot] wants to merge 3 commits into
mainfrom
dependabot/npm_and_yarn/tailwindcss/postcss-4.3.3
Open

build(deps-dev): bump @tailwindcss/postcss from 4.3.2 to 4.3.3#795
dependabot[bot] wants to merge 3 commits into
mainfrom
dependabot/npm_and_yarn/tailwindcss/postcss-4.3.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 17, 2026

Copy link
Copy Markdown
Contributor

Bumps @tailwindcss/postcss from 4.3.2 to 4.3.3.

Release notes

Sourced from @​tailwindcss/postcss's releases.

v4.3.3

Fixed

  • Support --watch --poll[=ms] in @tailwindcss/cli when filesystem events are unreliable or unavailable (#20297)
  • Canonicalization: match arbitrary hex colors against theme colors case-insensitively (e.g. bg-[#fff] and bg-[#FFF]bg-white) (#20298)
  • Prevent Preflight from overriding Firefox's native iframe:focus-visible outline styles (#20292)
  • Ensure theme('colors.foo') in JS plugins resolves correctly when both --color-foo and --color-foo-bar exist (#20299)
  • Ensure fractional opacity modifiers work with named shadow sizes like shadow-sm/12.5, text-shadow-sm/12.5, drop-shadow-sm/12.5, and inset-shadow-sm/12.5 (#20302)
  • Parse selectors like [data-foo]div as two selectors instead of one (#20303)
  • Ensure @tailwindcss/postcss rebuilds when a preprocessor like Sass changes the input CSS without changing the input file on disk (#20310)
  • Ensure CSS nesting is handled even when Lightning CSS isn't run, such as in @tailwindcss/browser and Tailwind Play (#20124)
  • Prevent achromatic theme colors from shifting hue when mixed in polar color spaces like oklch (#20314)
  • Ensure --spacing(0) is optimized to 0px instead of 0 so it remains a <length> when used in calc(…) (#20319)
  • Load @parcel/watcher only when needed in @tailwindcss/cli --watch mode, so one-off builds and --watch --poll work when @parcel/watcher can't be loaded (#20325)
  • Use explicit platform fonts instead of system-ui and ui-sans-serif so CJK text respects the page's lang attribute on Windows (#20318)
  • Prevent @tailwindcss/upgrade from rewriting ignored files when run from a subdirectory (#20329)
  • Ensure earlier @source rules pointing to nested files are scanned when later @source rules point to files in parent folders (#20335)
  • Prevent @tailwindcss/vite from triggering full page reloads when scanned files are processed by Vite but haven't been loaded as modules yet (#20336)
Changelog

Sourced from @​tailwindcss/postcss's changelog.

[4.3.3] - 2026-07-16

Fixed

  • Support --watch --poll[=ms] in @tailwindcss/cli when filesystem events are unreliable or unavailable (#20297)
  • Canonicalization: match arbitrary hex colors against theme colors case-insensitively (e.g. bg-[#fff] and bg-[#FFF]bg-white) (#20298)
  • Prevent Preflight from overriding Firefox's native iframe:focus-visible outline styles (#20292)
  • Ensure theme('colors.foo') in JS plugins resolves correctly when both --color-foo and --color-foo-bar exist (#20299)
  • Ensure fractional opacity modifiers work with named shadow sizes like shadow-sm/12.5, text-shadow-sm/12.5, drop-shadow-sm/12.5, and inset-shadow-sm/12.5 (#20302)
  • Parse selectors like [data-foo]div as two selectors instead of one (#20303)
  • Ensure @tailwindcss/postcss rebuilds when a preprocessor like Sass changes the input CSS without changing the input file on disk (#20310)
  • Ensure CSS nesting is handled even when Lightning CSS isn't run, such as in @tailwindcss/browser and Tailwind Play (#20124)
  • Prevent achromatic theme colors from shifting hue when mixed in polar color spaces like oklch (#20314)
  • Ensure --spacing(0) is optimized to 0px instead of 0 so it remains a <length> when used in calc(…) (#20319)
  • Load @parcel/watcher only when needed in @tailwindcss/cli --watch mode, so one-off builds and --watch --poll work when @parcel/watcher can't be loaded (#20325)
  • Use explicit platform fonts instead of system-ui and ui-sans-serif so CJK text respects the page's lang attribute on Windows (#20318)
  • Prevent @tailwindcss/upgrade from rewriting ignored files when run from a subdirectory (#20329)
  • Ensure earlier @source rules pointing to nested files are scanned when later @source rules point to files in parent folders (#20335)
  • Prevent @tailwindcss/vite from triggering full page reloads when scanned files are processed by Vite but haven't been loaded as modules yet (#20336)
Commits
  • c2b24dd 4.3.3 (#20334)
  • e48c5e8 Fix weird character rendering on Windows with Japanese locale (#20318)
  • 9b0e8af Ensure @tailwindcss/postcss rebuilds when the input CSS changes but its mti...
  • b53fa09 fix: exclude iframes from focus-visible auto outline in Preflight (#20292)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) from 4.3.2 to 4.3.3.
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.3/packages/@tailwindcss-postcss)

---
updated-dependencies:
- dependency-name: "@tailwindcss/postcss"
  dependency-version: 4.3.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@code-genius-code-coverage

Copy link
Copy Markdown

The files' contents are under analysis for test generation.

@github-actions github-actions Bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jul 17, 2026
@socket-security

socket-security Bot commented Jul 17, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedtailwindcss@​4.3.2 ⏵ 4.3.310010081 -398100
Updated@​tailwindcss/​postcss@​4.3.2 ⏵ 4.3.39910010098100

View full report

@socket-security

socket-security Bot commented Jul 17, 2026

Copy link
Copy Markdown

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Medium
Native binaries present: npm @tailwindcss/oxide-android-arm64

Location: Package overview

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/oxide-android-arm64@4.3.3

ℹ Read more on: This package | This alert | Why is native code a concern?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/oxide-android-arm64@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Native binaries present: npm @tailwindcss/oxide-darwin-arm64

Location: Package overview

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/oxide-darwin-arm64@4.3.3

ℹ Read more on: This package | This alert | Why is native code a concern?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/oxide-darwin-arm64@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Native binaries present: npm @tailwindcss/oxide-darwin-x64

Location: Package overview

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/oxide-darwin-x64@4.3.3

ℹ Read more on: This package | This alert | Why is native code a concern?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/oxide-darwin-x64@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Native binaries present: npm @tailwindcss/oxide-freebsd-x64

Location: Package overview

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/oxide-freebsd-x64@4.3.3

ℹ Read more on: This package | This alert | Why is native code a concern?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/oxide-freebsd-x64@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Native binaries present: npm @tailwindcss/oxide-linux-arm-gnueabihf

Location: Package overview

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/oxide-linux-arm-gnueabihf@4.3.3

ℹ Read more on: This package | This alert | Why is native code a concern?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/oxide-linux-arm-gnueabihf@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Native binaries present: npm @tailwindcss/oxide-linux-arm64-gnu

Location: Package overview

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/oxide-linux-arm64-gnu@4.3.3

ℹ Read more on: This package | This alert | Why is native code a concern?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/oxide-linux-arm64-gnu@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Native binaries present: npm @tailwindcss/oxide-linux-arm64-musl

Location: Package overview

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/oxide-linux-arm64-musl@4.3.3

ℹ Read more on: This package | This alert | Why is native code a concern?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/oxide-linux-arm64-musl@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Native binaries present: npm @tailwindcss/oxide-linux-x64-gnu

Location: Package overview

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/oxide-linux-x64-gnu@4.3.3

ℹ Read more on: This package | This alert | Why is native code a concern?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/oxide-linux-x64-gnu@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Native binaries present: npm @tailwindcss/oxide-linux-x64-musl

Location: Package overview

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/oxide-linux-x64-musl@4.3.3

ℹ Read more on: This package | This alert | Why is native code a concern?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/oxide-linux-x64-musl@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Potential security risk (AI signal): npm @tailwindcss/oxide-wasm32-wasi is 60.0% likely risky

Notes: No direct evidence of classic supply-chain malware behaviors (network exfiltration, credential theft, persistence mechanisms) is visible in this fragment. However, the module exposes high-risk dynamic execution primitives—most notably napi_run_script calling eval on a provided string—along with indirect execution via wasmTable (including finalizer callbacks) and optional new Function-based wrapper generation. Security impact is therefore dominated by arbitrary-code-execution risk if any attacker can influence script content or the callback/table/function identifiers used for indirect calls.

Confidence: 0.60

Severity: 0.72

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/oxide-wasm32-wasi@4.3.3

ℹ Read more on: This package | This alert | What are AI-detected potential security risks?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/oxide-wasm32-wasi@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Potential security risk (AI signal): npm @tailwindcss/oxide-wasm32-wasi is 66.0% likely risky

Notes: The code is largely wasm runtime plumbing for N-API compatibility, but it contains high-impact dynamic execution capabilities. In particular, napi_run_script performs eval on a string taken from a module-managed handle, enabling arbitrary host-side JavaScript execution if an attacker can influence that input. Additional dynamic function generation (new Function) and reflection/prototype mutation driven by module-provided descriptors further increase attack surface. No direct evidence of network exfiltration or credential theft is visible in the provided fragment, but the eval sink materially elevates security risk and warrants strict trust assumptions and/or hardening (e.g., remove/disable eval, validate/allowlist script execution inputs, isolate untrusted WASM).

Confidence: 0.66

Severity: 0.72

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/oxide-wasm32-wasi@4.3.3

ℹ Read more on: This package | This alert | What are AI-detected potential security risks?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/oxide-wasm32-wasi@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Potential security risk (AI signal): npm @tailwindcss/oxide-wasm32-wasi is 63.0% likely risky

Notes: Overall, this module is a WASM/N-API runtime bridge with worker/thread orchestration and extensive callback/handle plumbing. The standout concern is explicit dynamic execution: napi_run_script calls eval() on a string obtained from WASM handles, and re() can use new Function(...) for runtime code generation. These create high-impact code execution capabilities if an attacker can influence the WASM module or the strings/identifiers feeding these paths. No direct network/filesystem/credential-stealing behavior is evident in the provided fragment; the dominant risk is RCE within the host runtime triggered by upstream tampering or untrusted WASM inputs.

Confidence: 0.63

Severity: 0.78

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/oxide-wasm32-wasi@4.3.3

ℹ Read more on: This package | This alert | What are AI-detected potential security risks?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/oxide-wasm32-wasi@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Native binaries present: npm @tailwindcss/oxide-win32-arm64-msvc

Location: Package overview

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/oxide-win32-arm64-msvc@4.3.3

ℹ Read more on: This package | This alert | Why is native code a concern?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/oxide-win32-arm64-msvc@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Native binaries present: npm @tailwindcss/oxide-win32-x64-msvc

Location: Package overview

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/oxide-win32-x64-msvc@4.3.3

ℹ Read more on: This package | This alert | Why is native code a concern?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/oxide-win32-x64-msvc@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Debug access: npm @tailwindcss/node in module node:module

Module: node:module

Location: Package overview

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/node@4.3.3

ℹ Read more on: This package | This alert | What is debug access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Removing the use of debug will reduce the risk of any reflection and dynamic code execution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/node@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Debug access: npm @tailwindcss/node in module module

Module: module

Location: Package overview

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/node@4.3.3

ℹ Read more on: This package | This alert | What is debug access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Removing the use of debug will reduce the risk of any reflection and dynamic code execution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/node@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Environment variable access: npm @tailwindcss/node reads DEBUG

Env Vars: DEBUG

Location: Package overview

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/node@4.3.3

ℹ Read more on: This package | This alert | What is environment variable access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/node@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Environment variable access: npm @tailwindcss/node reads NODE_PATH

Env Vars: NODE_PATH

Location: Package overview

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/node@4.3.3

ℹ Read more on: This package | This alert | What is environment variable access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/node@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Filesystem access: npm @tailwindcss/node with module fs

Module: fs

Location: Package overview

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/node@4.3.3

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/node@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Filesystem access: npm @tailwindcss/node with module fs/promises

Module: fs/promises

Location: Package overview

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/node@4.3.3

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/node@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Minified code present: npm @tailwindcss/node with 100.0% likelihood

Confidence: 1.00

Location: Package overview

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/node@4.3.3

ℹ Read more on: This package | This alert | What's wrong with minified code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/node@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Minified code present: npm @tailwindcss/node with 99.0% likelihood

Confidence: 0.99

Location: Package overview

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/node@4.3.3

ℹ Read more on: This package | This alert | What's wrong with minified code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/node@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm @tailwindcss/oxide-wasm32-wasi is 66.0% likely to have a medium risk anomaly

Notes: This code is a WASM/worker interop runtime shim with significant execution capability. The primary security concern is that it can execute arbitrary JavaScript via g.eval (napi_run_script) and can dynamically generate wrapper functions via new Function (emnapiCreateFunction). Additionally, worker message payloads can drive indirect calls into wasm function tables. The fragment shows no direct exfiltration or persistence mechanisms, so malicious intent is not established, but the attack surface is elevated due to powerful dynamic-execution sinks and trust in WASM/message-controlled inputs.

Confidence: 0.66

Severity: 0.67

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/oxide-wasm32-wasi@4.3.3

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/oxide-wasm32-wasi@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm @tailwindcss/oxide-wasm32-wasi is 63.0% likely to have a medium risk anomaly

Notes: The file package/dist/emnapi-core.min.js implements a wasm/N-API interop runtime that includes dynamic code execution surfaces via eval and new Function. If attacker-controlled input can reach these dynamic paths (through napi_run_script or dynamic wrapper code), it can enable arbitrary JavaScript execution (RCE) in the Node process and potentially in spawned workers.

Confidence: 0.63

Severity: 0.74

From: package-lock.jsonnpm/@tailwindcss/postcss@4.3.3npm/@tailwindcss/oxide-wasm32-wasi@4.3.3

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/oxide-wasm32-wasi@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

See 8 more rows in the dashboard

View full report

@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric Results
Complexity 0
Duplication 0

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@guibranco
guibranco enabled auto-merge (squash) July 17, 2026 04:16
@gstraccini gstraccini Bot added the ☑️ auto-merge Automatic merging of pull requests (gstraccini-bot) label Jul 17, 2026

@guibranco guibranco left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by gstraccini[bot]

@gstraccini gstraccini Bot added 🤖 bot Automated processes or integrations 📦 dependencies labels Jul 17, 2026
@github-actions

Copy link
Copy Markdown

Infisical secrets check: ✅ No secrets leaked!

💻 Scan logs
2026-07-17T04:33:44Z INF scanning for exposed secrets...
4:33AM INF 789 commits scanned.
2026-07-17T04:33:45Z INF scan completed in 1.46s
2026-07-17T04:33:45Z INF no leaks found

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

☑️ auto-merge Automatic merging of pull requests (gstraccini-bot) 🤖 bot Automated processes or integrations dependencies Dependencies 📦 dependencies npm size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant