Pulp Engine Document Rendering
Get started
Release v0.77.1

Release v0.77.1 — postcss advisory patch

Date: 2026-04-25 Tag: v0.77.1

Summary

Dependency-advisory patch. v0.77.0 was tagged but not shipped: push-time CI on the tagged commit failed the pnpm audit --prod --audit-level=moderate gate on advisory GHSA-qx2v-qp2m-jg93 (“PostCSS has XSS via Unescaped in its CSS Stringify Output”) through apps/website > @astrojs/react > vite > postcss. v0.77.1 forces postcss >= 8.5.10 via root pnpm.overrides, includes a CI-only release-head allowance so the merged pre-tag release commit on main can pass ci.yml before the real tag is pushed, and corrects stale website SDK marketing copy that still implied a first-party .NET client.

What landed

  • Root pnpm.overrides now pins postcss >= 8.5.10.
  • pnpm-lock.yaml re-resolved; postcss@8.5.10 is the resolved version.
  • scripts/check-version.mjs now has an explicit CI opt-in mode for a fully prepared, untagged release head; ci.yml uses it so main can go green before the tag exists, while tagged release workflows remain strict.
  • The landing-page metric strip and pricing page now advertise the current SDK surface accurately: two first-party SDKs (TypeScript, Python) plus OpenAPI-generated clients for other languages.
  • The website toolchain still builds cleanly after the patched resolution; no customer-facing route or content behavior changed beyond the SDK-copy correction and this release note page.

Operational posture

  • v0.77.0 should be treated as a burned tag. It pointed at 84d11a6, but release creation and SDK publishes were stopped after the CI audit gate caught the advisory before any release artifacts were created.
  • v0.77.1 is the first intended shipping tag on the signed-licence-v1 line.
  • No customer-facing API, CLI, or schema changes land in this patch. The only non-dependency follow-ups are the CI/release-process fix above and the website SDK-copy correction.

Verified before tagging

CI-verified

  • Release and SDK publish workflows gate on ci.yml success for the exact tagged SHA on main; no artifact can publish without that signal.

Locally verified

  • pnpm audit --prod --audit-level=moderateNo known vulnerabilities found.
  • pnpm --filter @pulp-engine/website build — 115 pages, postbuild clean.
  • node scripts/check-version.mjs — green on the advisory-fix commit, green in CI opt-in mode on the merged pre-tag release commit, and green on the local-tag validation path for the 0.77.1 release commit.
  • pnpm install --lockfile-only — lockfile refreshed after the override; no unexpected dependency churn beyond the patched postcss resolution.

Not verified

  • Registry publication (npm, PyPI), GHCR images, GitHub Release assets, public mirror sync, Windows installer smoke, and signed-licence end-to-end smoke remain tag-time/post-tag checks.

Known residual

  • PyPI Trusted Publishing may still fail loudly if the one-time PyPI trust configuration is incomplete; that is independent of this patch.
  • The intentionally untracked Fly files remain out of scope for this release line.
← Back to releases