Skip to content

[Snyk] Upgrade tailwindcss from 3.4.17 to 4.1.18 #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mnk-blr wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade tailwindcss from 3.4.17 to 4.1.18 #9

mnk-blr wants to merge 1 commit into from

Conversation

@mnk-blr
Copy link

@mnk-blr mnk-blr commented Jan 17, 2026

snyk-top-banner

Snyk has created this PR to upgrade tailwindcss from 3.4.17 to 4.1.18.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 85 versions ahead of your current version.

  • The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Command Injection
SNYK-JS-GLOB-14040952		 57 Proof of Concept
low severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-BRACEEXPANSION-9789073		 57 Proof of Concept
Release notes
Package name: tailwindcss
  • 4.1.18 - 2025-12-11

    Fixed

    • Ensure validation of source(…) happens relative to the file it is in (#19274)
    • Include filename and line numbers in CSS parse errors (#19282)
    • Skip comments in Ruby files when checking for class names (#19243)
    • Skip over arbitrary property utilities with a top-level ! in the value (#19243)
    • Support environment API in @ tailwindcss/vite (#18970)
    • Preserve case of theme keys from JS configs and plugins (#19337)
    • Write source maps correctly on the CLI when using --watch (#19373)
    • Handle special defaults (like ringColor.DEFAULT) in JS configs (#19348)
    • Improve backwards compatibility for content theme key from JS configs (#19381)
    • Upgrade: Handle future and experimental config keys (#19344)
    • Try to canonicalize any arbitrary utility to a bare value (#19379)
    • Validate candidates similarly to Oxide (#19397)
    • Canonicalization: combine text-* and leading-* classes (#19396)
    • Correctly handle duplicate CLI arguments (#19416)
    • Don’t emit color-mix fallback rules inside @ keyframes (#19419)
    • CLI: Don't hang when output is /dev/stdout (#19421)
  • 4.1.17 - 2025-11-06

    Fixed

    • Substitute @ variant inside legacy JS APIs (#19263)
    • Prevent occasional crash on Windows when loaded into a worker thread (#19242)
  • 4.1.16 - 2025-10-23

    Fixed

    • Discard candidates with an empty data type (#19172)
    • Fix canonicalization of arbitrary variants with attribute selectors (#19176)
    • Fix invalid colors due to nested & (#19184)
    • Improve canonicalization for & > :pseudo and & :pseudo arbitrary variants (#19178)
  • 4.1.15 - 2025-10-20

    Fixed

    • Fix Safari devtools rendering issue due to color-mix fallback (#19069)
    • Suppress Lightning CSS warnings about :deep, :slotted, and :global (#19094)
    • Fix resolving theme keys when starting with the name of another theme key in JS configs and plugins (#19097)
    • Allow named groups in combination with not-*, has-*, and in-* (#19100)
    • Prevent important utilities from affecting other utilities (#19110)
    • Don’t index into strings with the theme(…) function (#19111)
    • Fix parsing issue when \t is used in at-rules (#19130)
    • Upgrade: Canonicalize utilities containing 0 values (#19095)
    • Upgrade: Migrate deprecated break-words to wrap-break-word (#19157)

    Changed

    • Remove the postinstall script from oxide (#19149)
  • 4.1.14 - 2025-10-01

    Fixed

    • Handle ' syntax in ClojureScript when extracting classes (#18888)
    • Handle @ variant inside @ custom-variant (#18885)
    • Merge suggestions when using @ utility (#18900)
    • Ensure that file system watchers created when using the CLI are always cleaned up (#18905)
    • Do not generate grid-column utilities when configuring grid-column-start or grid-column-end (#18907)
    • Do not generate grid-row utilities when configuring grid-row-start or grid-row-end (#18907)
    • Prevent duplicate CSS when overwriting a static utility with a theme key (#18056)
    • Show Lightning CSS warnings (if any) when optimizing/minifying (#18918)
    • Use default export condition for @ tailwindcss/vite (#18948)
    • Re-throw errors from PostCSS nodes (#18373)
    • Detect classes in markdown inline directives (#18967)
    • Ensure files with only @ theme produce no output when built (#18979)
    • Support Maud templates when extracting classes (#18988)
    • Upgrade: Do not migrate variant = 'outline' during upgrades (#18922)
    • Upgrade: Show version mismatch (if any) when running upgrade tool (#19028)
    • Upgrade: Ensure first class inside className is migrated (#19031)
    • Upgrade: Migrate classes inside *ClassName and *Class attributes (#19031)
  • 4.1.13 - 2025-09-04

    Changed

    • Drop warning from browser build (#18731)
    • Drop exact duplicate declarations when emitting CSS (#18809)

    Fixed

    • Don't transition visibility when using transition (#18795)
    • Discard matched variants with unknown named values (#18799)
    • Discard matched variants with non-string values (#18799)
    • Show suggestions for known matchVariant values (#18798)
    • Replace deprecated clip with clip-path in sr-only (#18769)
    • Hide internal fields from completions in matchUtilities (#18820)
    • Ignore .vercel folders by default (can be overridden by @ source … rules) (#18855)
    • Consider variants starting with @- to be invalid (e.g. @-2xl:flex) (#18869)
    • Do not allow custom variants to start or end with a - or _ (#18867, #18872)
    • Upgrade: Migrate aria theme keys to @ custom-variant (#18815)
    • Upgrade: Migrate data theme keys to @ custom-variant (#18816)
    • Upgrade: Migrate supports theme keys to @ custom-variant (#18817)
  • 4.1.12 - 2025-08-14

    Fixed

    • Don't consider the global important state in @ apply (#18404)
    • Add missing suggestions for flex-<number> utilities (#18642)
    • Fix trailing ) from interfering with extraction in Clojure keywords (#18345)
    • Detect classes inside Elixir charlist, word list, and string sigils (#18432)
    • Track source locations through @ plugin and @ config (#18345)
    • Allow boolean values of process.env.DEBUG in @ tailwindcss/node (#18485)
    • Ignore consecutive semicolons in the CSS parser (#18532)
    • Center the dropdown icon added to an input with a paired datalist by default (#18511)
    • Extract candidates in Slang templates (#18565)
    • Improve error messages when encountering invalid functional utility names (#18568)
    • Discard CSS AST objects with false or undefined properties (#18571)
    • Allow users to disable URL rebasing in @ tailwindcss/postcss via transformAssetUrls: false (#18321)
    • Fix false-positive migrations in addEventListener and JavaScript variable names (#18718)
    • Fix Standalone CLI showing default Bun help when run via symlink on Windows (#18723)
    • Read from --border-color-* theme keys in divide-* utilities for backwards compatibility (#18704)
    • Don't scan .hdr and .exr files for classes by default (#18734)
  • 4.1.11 - 2025-06-26

    Fixed

    • Add heuristic to skip candidate migrations inside emit(…) (#18330)
    • Extract candidates with variants in Clojure/ClojureScript keywords (#18338)
    • Document --watch=always in the CLI's usage (#18337)
    • Add support for Vite 7 to @ tailwindcss/vite (#18384)
  • 4.1.10 - 2025-06-11
  • 4.1.9 - 2025-06-11
  • 4.1.8 - 2025-05-28
  • 4.1.7 - 2025-05-15
  • 4.1.6 - 2025-05-09
  • 4.1.5 - 2025-04-30
  • 4.1.4 - 2025-04-14
  • 4.1.3 - 2025-04-04
  • 4.1.2 - 2025-04-03
  • 4.1.1 - 2025-04-02
  • 4.1.0 - 2025-04-01
  • 4.0.17 - 2025-03-26
  • 4.0.16 - 2025-03-25
  • 4.0.15 - 2025-03-20
  • 4.0.14 - 2025-03-13
  • 4.0.13 - 2025-03-11
  • 4.0.12 - 2025-03-07
  • 4.0.11 - 2025-03-06
  • 4.0.10 - 2025-03-05
  • 4.0.9 - 2025-02-25
  • 4.0.8 - 2025-02-21
  • 4.0.7 - 2025-02-18
  • 4.0.6 - 2025-02-10
  • 4.0.5 - 2025-02-08
  • 4.0.4 - 2025-02-06
  • 4.0.3 - 2025-02-01
  • 4.0.2 - 2025-01-31
  • 4.0.1 - 2025-01-29
  • 4.0.0 - 2025-01-21
  • 4.0.0-beta.10 - 2025-01-21
  • 4.0.0-beta.9 - 2025-01-09
  • 4.0.0-beta.8 - 2024-12-17
  • 4.0.0-beta.7 - 2024-12-13
  • 4.0.0-beta.6 - 2024-12-06
  • 4.0.0-beta.5 - 2024-12-04
  • 4.0.0-beta.4 - 2024-11-29
  • 4.0.0-beta.3 - 2024-11-27
  • 4.0.0-beta.2 - 2024-11-22
  • 4.0.0-beta.1 - 2024-11-21
  • 4.0.0-alpha.36 - 2024-11-21
  • 4.0.0-alpha.35 - 2024-11-20
  • 4.0.0-alpha.34 - 2024-11-14
  • 4.0.0-alpha.33 - 2024-11-12
  • 4.0.0-alpha.32 - 2024-11-11
  • 4.0.0-alpha.31 - 2024-10-30
  • 4.0.0-alpha.30 - 2024-10-24
  • 4.0.0-alpha.29 - 2024-10-23
  • 4.0.0-alpha.28 - 2024-10-17
  • 4.0.0-alpha.27 - 2024-10-15
  • 4.0.0-alpha.26 - 2024-10-03
  • 4.0.0-alpha.25 - 2024-09-24
  • 4.0.0-alpha.24 - 2024-09-12
  • 4.0.0-alpha.23 - 2024-09-05
  • 4.0.0-alpha.22 - 2024-09-05
  • 4.0.0-alpha.21 - 2024-09-02
  • 4.0.0-alpha.20 - 2024-08-23
  • 4.0.0-alpha.19 - 2024-08-09
  • 4.0.0-alpha.18 - 2024-07-25
  • 4.0.0-alpha.17 - 2024-07-04
  • 4.0.0-alpha.16 - 2024-06-07
  • 4.0.0-alpha.15 - 2024-05-08
  • 4.0.0-alpha.14 - 2024-04-09
  • 4.0.0-alpha.13 - 2024-04-04
  • 4.0.0-alpha.12 - 2024-04-04
  • 4.0.0-alpha.11 - 2024-03-27
  • 4.0.0-alpha.10 - 2024-03-21
  • 4.0.0-alpha.9 - 2024-03-13
  • 4.0.0-alpha.8 - 2024-03-11
  • 4.0.0-alpha.7 - 2024-03-08
  • 4.0.0-alpha.6 - 2024-03-07
  • 4.0.0-alpha.5 - 2024-03-06
  • 4.0.0-alpha.4 - 2024-03-06
  • 4.0.0-alpha.3 - 2024-03-06
  • 4.0.0-alpha.2 - 2024-03-06
  • 4.0.0-alpha.1 - 2024-03-05
  • 3.4.19 - 2025-12-10

    Fixed

    • Don’t break sibling-*() functions when used inside calc(…) (#19335)
  • 3.4.18 - 2025-10-01

    Fixed

    • Improve support for raw supports-[…] queries in arbitrary values (#13605)
    • Fix require.cache error when loaded through a TypeScript file in Node 22.18+ (#18665)
    • Support import.meta.resolve(…) in configs for new enough Node.js versions (#18938)
    • Allow using newer versions of postcss-load-config for better ESM and TypeScript PostCSS config support with the CLI (#18938)
    • Remove irrelevant utility rules when matching important classes (#19030)
  • 3.4.17 - 2024-12-17
from tailwindcss GitHub release notes

Important

  • Warning: This PR contains a major version upgrade, and may be a breaking change.
  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
feat: upgrade tailwindcss from 3.4.17 to 4.1.18
adec49e 
Snyk has created this PR to upgrade tailwindcss from 3.4.17 to 4.1.18.

See this package in npm:
tailwindcss

See this project in Snyk:
https://app.snyk.io/org/thoughtspot/project/2c0c73f7-d04f-4dfe-a2f6-3ed191805256?utm_source=github&utm_medium=referral&page=upgrade-pr
@mnk-blr
Copy link
Author

mnk-blr commented Jan 17, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mnk-blr @snyk-bot