fix(deps): update tailwind css (major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
tailwind-merge	^2.6.0 → ^3.0.0
tailwindcss (source)	^3.4.17 → ^4.0.0

---

Release Notes

dcastil/tailwind-merge (tailwind-merge)

v3.5.0

Compare Source

New Features

• Add support for Tailwind CSS v4.2 by @​dcastil in #​651

Full Changelog: dcastil/tailwind-merge@v3.4.1...v3.5.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph and more via @​thnxdev for sponsoring tailwind-merge! ❤️

v3.4.1

Compare Source

Bug Fixes

• Prevent arbitrary font-family and font-weight from merging by @​roneymoon in #​635

Full Changelog: dcastil/tailwind-merge@v3.4.0...v3.4.1

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph and more via @​thnxdev for sponsoring tailwind-merge! ❤️

v3.4.0

Compare Source

v3.3.1

Compare Source

Bug Fixes

• Fix arbitrary value using color-mix() not being detected as color by @​dcastil in #​591

Full Changelog: dcastil/tailwind-merge@v3.3.0...v3.3.1

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, @​sourcegraph, a private sponsor, @​block and @​shawt3000 for sponsoring tailwind-merge! ❤️

v3.3.0

Compare Source

New Features

• Add support for tailwind CSS v4.1.5 by @​dcastil in #​575

Full Changelog: dcastil/tailwind-merge@v3.2.0...v3.3.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, @​sourcegraph, a private sponsor and @​block for sponsoring tailwind-merge! ❤️

v3.2.0

Compare Source

New Features

• Add support for Tailwind CSS v4.1 by @​dcastil in #​565

Full Changelog: dcastil/tailwind-merge@v3.1.0...v3.2.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​jamesreaco, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, @​sourcegraph and a private sponsor for sponsoring tailwind-merge! ❤️

v3.1.0

Compare Source

New Features

• Add support for Tailwind CSS v4.0.10 by @​dcastil in #​546

Bug Fixes

• Fix length variable in via-(length:*) class being merged with via-<color> classes accidentally by @​dcastil in #​559

Documentation

• Fix typo in comment in types.ts by @​roottool in #​549
• Update shadow scale recipe to tailwind merge v3 API by @​dcastil in #​545

Other

• Fix metrics report action erroring on PRs from forks by @​dcastil in #​551

Full Changelog: dcastil/tailwind-merge@v3.0.2...v3.1.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​jamesreaco, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, @​sourcegraph and a private sponsor for sponsoring tailwind-merge! ❤️

v3.0.2

Compare Source

Bug Fixes

• Fix px value not being recognized for some class groups by @​dcastil in #​538
• Fix doc comment being in incorrect place in default config by @​gjtorikian in #​526

Full Changelog: dcastil/tailwind-merge@v3.0.1...v3.0.2

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​jamesreaco, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, @​sourcegraph and a private sponsor for sponsoring tailwind-merge! ❤️

v3.0.1

Compare Source

Bug Fixes

• Update info about supported Tailwind CSS version in README by @​dcastil in b9c136d
• Update incorrect link in v3 changelog by @​dcastil in e22885e

Full Changelog: dcastil/tailwind-merge@v3.0.0...v3.0.1

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​jamesreaco, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, @​sourcegraph and a private sponsor for sponsoring tailwind-merge! ❤️

v3.0.0

Compare Source

Tailwind CSS v4 is here and it's time to upgrade tailwind-merge to support it. tailwind-merge v3.0.0 is more accurate than ever and follows the Tailwind CSS spec more closely than in v2. That is thanks to Tailwind CSS v4 being more consistent than ever.

This release drops support for Tailwind CSS v3 and in turn adds support for Tailwind CSS v4. That means you should upgrade to Tailwind CSS v4 and tailwind-merge v3 together. All breaking changes are related to the Tailwind CSS v4 support.

Check out the migration guide and if you have any questions, feel free to create an issue.

Breaking Changes

• Dropping support for Tailwind CSS v3 in favor of support for Tailwind CSS v4 by @​dcastil in #​518
• Theme scales keys changed and now match Tailwind CSS v4 theme variable namespace exactly by @​dcastil in #​518
• isLength validator was removed and split into separate validators isNumber and isFraction by @​dcastil in #​518
• Prefix defined in config shouldn't include combining - character anymore by @​dcastil in #​518
• Tailwind CSS v3 prefix position in class not supported anymore in favor of Tailwind CSS v4 position by @​dcastil in #​518
• Custom separators are no longer supported by @​dcastil in #​518
• New mandatory orderSensitiveModifiers property in config when using createTailwindMerge by @​dcastil in #​518
• DefaultThemeGroupIds type union consists of different string literals than before by @​dcastil in #​518
• Classes removed in Tailwind CSS v4 are not supported by tailwind-merge anymore by @​dcastil in #​518

New Features

• Support for new important modifier position at the end of class by @​dcastil in #​518
• Support for arbitrary CSS variable syntax by @​dcastil in #​518
• There are a bunch of new validators used by tailwind-merge, primarily for new Tailwind CSS v4 features like arbitrary CSS variables by @​dcastil in #​518

Bug Fixes

• Previously some order-sensitive modifiers like before: were treated as not order-sensitive. This is now fixed by @​dcastil in #​518

Documentation

• Added section explaining order-sensitive modifiers to configuration docs by @​dcastil in #​518

Full Changelog: dcastil/tailwind-merge@v2.6.0...v3.0.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​jamesreaco, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, @​sourcegraph and a private sponsor for sponsoring tailwind-merge! ❤️

tailwindlabs/tailwindcss (tailwindcss)

v4.2.1

Compare Source

Fixed

• Allow trailing dash in functional utility names for backwards compatibility (#​19696)
• Properly detect classes containing . characters within curly braces in MDX files (#​19711)

v4.2.0

Compare Source

Added

• Add mauve, olive, mist, and taupe color palettes to the default theme (#​19627)
• Add @tailwindcss/webpack package to run Tailwind CSS as a webpack plugin (#​19610)
• Add pbs-* and pbe-* utilities for padding-block-start and padding-block-end (#​19601)
• Add mbs-* and mbe-* utilities for margin-block-start and margin-block-end (#​19601)
• Add scroll-pbs-* and scroll-pbe-* utilities for scroll-padding-block-start and scroll-padding-block-end (#​19601)
• Add scroll-mbs-* and scroll-mbe-* utilities for scroll-margin-block-start and scroll-margin-block-end (#​19601)
• Add border-bs-* and border-be-* utilities for border-block-start and border-block-end (#​19601)
• Add inline-*, min-inline-*, max-inline-* utilities for inline-size, min-inline-size, and max-inline-size (#​19612)
• Add block-*, min-block-*, max-block-* utilities for block-size, min-block-size, and max-block-size (#​19612)
• Add inset-s-*, inset-e-*, inset-bs-*, inset-be-* utilities for inset-inline-start, inset-inline-end, inset-block-start, and inset-block-end (#​19613)
• Add font-features-* utility for font-feature-settings (#​19623)

Fixed

• Prevent double @supports wrapper for color-mix values (#​19450)
• Allow whitespace around @source inline() argument (#​19461)
• Emit comment when source maps are saved to files when using @tailwindcss/cli (#​19447)
• Detect utilities containing capital letters followed by numbers (#​19465)
• Fix class extraction for Rails' strict locals (#​19525)
• Align @utility name validation with Oxide scanner rules (#​19524)
• Fix infinite loop when using @variant inside @custom-variant (#​19633)
• Allow multiples of .25 in aspect-* fractions (e.g. aspect-8.5/11) (#​19688)
• Ensure changes to external files listed via @source trigger a full page reload when using @tailwindcss/vite (#​19670)
• Improve performance of Oxide scanner in bigger projects by reducing file system walks (#​19632)
• Ensure import aliases in Astro v5 work without crashing when using @tailwindcss/vite (#​19677)
• Allow escape characters in @utility names to improve support with formatters such as Biome (#​19626)
• Fix incorrect canonicalization results when canonicalizing multiple times (#​19675)
• Add .jj to default ignored content directories (#​19687)

Deprecated

• Deprecate start-* and end-* utilities in favor of inset-s-* and inset-e-* utilities (#​19613)

v4.1.18

Compare Source

Fixed

• Ensure validation of source(…) happens relative to the file it is in (#​19274)
• Include filename and line numbers in CSS parse errors (#​19282)
• Skip comments in Ruby files when checking for class names (#​19243)
• Skip over arbitrary property utilities with a top-level ! in the value (#​19243)
• Support environment API in @tailwindcss/vite (#​18970)
• Preserve case of theme keys from JS configs and plugins (#​19337)
• Write source maps correctly on the CLI when using --watch (#​19373)
• Handle special defaults (like ringColor.DEFAULT) in JS configs (#​19348)
• Improve backwards compatibility for content theme key from JS configs (#​19381)
• Upgrade: Handle future and experimental config keys (#​19344)
• Try to canonicalize any arbitrary utility to a bare value (#​19379)
• Validate candidates similarly to Oxide (#​19397)
• Canonicalization: combine text-* and leading-* classes (#​19396)
• Correctly handle duplicate CLI arguments (#​19416)
• Don’t emit color-mix fallback rules inside @keyframes (#​19419)
• CLI: Don't hang when output is /dev/stdout (#​19421)

v4.1.17

Compare Source

Fixed

• Substitute @variant inside legacy JS APIs (#​19263)
• Prevent occasional crash on Windows when loaded into a worker thread (#​19242)

v4.1.16

Compare Source

Fixed

• Discard candidates with an empty data type (#​19172)
• Fix canonicalization of arbitrary variants with attribute selectors (#​19176)
• Fix invalid colors due to nested & (#​19184)
• Improve canonicalization for & > :pseudo and & :pseudo arbitrary variants (#​19178)

v4.1.15

Compare Source

Fixed

• Fix Safari devtools rendering issue due to color-mix fallback (#​19069)
• Suppress Lightning CSS warnings about :deep, :slotted, and :global (#​19094)
• Fix resolving theme keys when starting with the name of another theme key in JS configs and plugins (#​19097)
• Allow named groups in combination with not-*, has-*, and in-* (#​19100)
• Prevent important utilities from affecting other utilities (#​19110)
• Don’t index into strings with the theme(…) function (#​19111)
• Fix parsing issue when \t is used in at-rules (#​19130)
• Upgrade: Canonicalize utilities containing 0 values (#​19095)
• Upgrade: Migrate deprecated break-words to wrap-break-word (#​19157)

Changed

• Remove the postinstall script from oxide ([#​19149])(#​19149)

v4.1.14

Compare Source

Fixed

• Handle ' syntax in ClojureScript when extracting classes (#​18888)
• Handle @variant inside @custom-variant (#​18885)
• Merge suggestions when using @utility (#​18900)
• Ensure that file system watchers created when using the CLI are always cleaned up (#​18905)
• Do not generate grid-column utilities when configuring grid-column-start or grid-column-end (#​18907)
• Do not generate grid-row utilities when configuring grid-row-start or grid-row-end (#​18907)
• Prevent duplicate CSS when overwriting a static utility with a theme key (#​18056)
• Show Lightning CSS warnings (if any) when optimizing/minifying (#​18918)
• Use default export condition for @tailwindcss/vite (#​18948)
• Re-throw errors from PostCSS nodes (#​18373)
• Detect classes in markdown inline directives (#​18967)
• Ensure files with only @theme produce no output when built (#​18979)
• Support Maud templates when extracting classes (#​18988)
• Upgrade: Do not migrate variant = 'outline' during upgrades (#​18922)
• Upgrade: Show version mismatch (if any) when running upgrade tool (#​19028)
• Upgrade: Ensure first class inside className is migrated (#​19031)
• Upgrade: Migrate classes inside *ClassName and *Class attributes (#​19031)

v4.1.13

Compare Source

Changed

• Drop warning from browser build (#​18731)
• Drop exact duplicate declarations when emitting CSS (#​18809)

Fixed

• Don't transition visibility when using transition (#​18795)
• Discard matched variants with unknown named values (#​18799)
• Discard matched variants with non-string values (#​18799)
• Show suggestions for known matchVariant values (#​18798)
• Replace deprecated clip with clip-path in sr-only (#​18769)
• Hide internal fields from completions in matchUtilities (#​18820)
• Ignore .vercel folders by default (can be overridden by @source … rules) (#​18855)
• Consider variants starting with @- to be invalid (e.g. @-2xl:flex) (#​18869)
• Do not allow custom variants to start or end with a - or _ (#​18867, #​18872)
• Upgrade: Migrate aria theme keys to @custom-variant (#​18815)
• Upgrade: Migrate data theme keys to @custom-variant (#​18816)
• Upgrade: Migrate supports theme keys to @custom-variant (#​18817)

v4.1.12

Compare Source

Fixed

• Don't consider the global important state in @apply (#​18404)
• Add missing suggestions for flex-<number> utilities (#​18642)
• Fix trailing ) from interfering with extraction in Clojure keywords (#​18345)
• Detect classes inside Elixir charlist, word list, and string sigils (#​18432)
• Track source locations through @plugin and @config (#​18345)
• Allow boolean values of process.env.DEBUG in @tailwindcss/node (#​18485)
• Ignore consecutive semicolons in the CSS parser (#​18532)
• Center the dropdown icon added to an input with a paired datalist by default (#​18511)
• Extract candidates in Slang templates (#​18565)
• Improve error messages when encountering invalid functional utility names (#​18568)
• Discard CSS AST objects with false or undefined properties (#​18571)
• Allow users to disable URL rebasing in @tailwindcss/postcss via transformAssetUrls: false (#​18321)
• Fix false-positive migrations in addEventListener and JavaScript variable names (#​18718)
• Fix Standalone CLI showing default Bun help when run via symlink on Windows (#​18723)
• Read from --border-color-* theme keys in divide-* utilities for backwards compatibility (#​18704)
• Don't scan .hdr and .exr files for classes by default (#​18734)

v4.1.11

Compare Source

Fixed

• Add heuristic to skip candidate migrations inside emit(…) (#​18330)
• Extract candidates with variants in Clojure/ClojureScript keywords (#​18338)
• Document --watch=always in the CLI's usage (#​18337)
• Add support for Vite 7 to @tailwindcss/vite (#​18384)

v4.1.10

Compare Source

Fixed

• Fix incorrectly generated CSS when using percentages in arbitrary values with calc (e.g. w-[calc(100%-var(--offset))]) (#​18289)

v4.1.9

Compare Source

Fixed

• Correctly parse custom properties with strings containing semicolons (#​18251)
• Upgrade: Migrate arbitrary modifiers without percentage signs to bare values (e.g. /[0.16] → /16) (#​18184)
• Upgrade: Migrate CSS variable shorthands where fallback value contains function call (#​18184)
• Upgrade: Migrate negative arbitrary values to negative bare values (e.g. mb-[-32rem] → -mb-128) (#​18212)
• Upgrade: Do not migrate blur in wire:model.blur (#​18216)
• Don't add spaces around CSS dashed idents when formatting math expressions (#​18220)

v4.1.8

Compare Source

Added

• Improve error messages when @apply fails (#​18059)

Fixed

• Upgrade: Do not migrate declarations that look like candidates in <style> blocks (#​18057, 18068)
• Upgrade: Don't error when looking for tailwindcss in pnpm monorepos (#​18065)
• Upgrade: Don't error when updating dependencies in pnpm monorepos (#​18065)
• Upgrade: Migrate deprecated order-none to order-0 (#​18126)
• Support Leptos class: attributes when extracting classes (#​18093)
• Fix "Cannot read properties of undefined" crash on malformed arbitrary value (#​18133)
• Upgrade: Migrate -mt-[0px] to mt-[0px] instead of the other way around (#​18154)
• Fix Haml pre-processing crash when there is no \n at the end of the file (#​18155)
• Ignore .pnpm-store folders by default (can be overridden by @source … rules) (#​18163)
• Fix PostCSS crash when calling toJSON() (#​18083)

v4.1.7

Compare Source

Added

• Upgrade: Migrate bare values to named values (#​18000)
• Upgrade: Added cache to improve template migration performance (#​18025)

Fixed

• Allow _ before numbers during candidate extraction (#​17961)
• Prevent duplicate suggestions when using @theme and @utility together (#​17675)
• Ensure that media queries within ::before and ::after pseudo selectors create valid CSS rules in production builds (#​17979)
• Ensure that the standalone CLI does not leave temporary files behind (#​17981)
• Ensure -rotate-* utilities properly negate arbitrary values (#​18014)
• Ignore custom variants using :merge(…) selectors in legacy JS plugins (#​18020)
• Ensure classes containing . are properly extracted from Clojure files (#​18038)
• Upgrade: Fix error when using @import … source(…) (#​17963)
• Upgrade: Change casing of utilities with named values to kebab-case to match updated theme variables (#​18017)
• Upgrade: Don't migrate strings that match utility names in Vue attribute bindings other than class (#​18025)

v4.1.6

Compare Source

Added

• Upgrade: Automatically convert arbitrary values to named values when possible (e.g. h-[1lh] to h-lh) (#​17831, #​17854)
• Upgrade: Update dependencies in parallel for improved performance (#​17898)
• Add detailed logging about @source directives, discovered files and scanned files when using DEBUG=* (#​17906, #​17952)
• Add support for generating source maps in development (#​17775)

Fixed

• Ensure negative arbitrary scale values generate negative values (#​17831)
• Fix HAML extraction with embedded Ruby (#​17846)
• Don't scan files for utilities when using @reference (#​17836)
• Fix incorrectly replacing _ with in arbitrary modifier shorthand bg-red-500/(--my_opacity) (#​17889)
• Don't scan .log files for classes by default (#​17906)
• Ensure that custom utilities applying other custom utilities don't swallow nested @apply rules (#​17925)
• Download platform specific package if optionalDependencies are skipped (#​17929)

v4.1.5

Compare Source

Added

• Support using @tailwindcss/upgrade to upgrade between versions of v4.* (#​17717)
• Add h-lh / min-h-lh / max-h-lh utilities (#​17790)
• Transition display, visibility, content-visibility, overlay, and pointer-events when using transition to simplify @starting-style usage (#​17812)

Fixed

• Don't scan .geojson or .db files for classes by default (#​17700, #​17711)
• Hide default shadow suggestions when missing default shadow theme keys (#​17743)
• Replace _ with . in theme suggestions for @utility if surrounded by digits (#​17733)
• Skip color-mix(…) when opacity is 100% (#​17815)
• PostCSS: Ensure that errors in imported stylesheets are recoverable (#​17754)
• Upgrade: Bump all Tailwind CSS related dependencies during upgrade (#​17763)
• Upgrade: Don't add - to variants starting with @ (#​17814)
• Upgrade: Don't format stylesheets that didn't change when upgrading (#​17824)

Changed

• Ignore .hg, .svn, .venv, venv, .yarn, .next, .turbo, .parcel-cache, __pycache__, and .svelte-kit folders by default (can be overridden by @source … rules) (#​17892)
• @source rules that point inside .hg, .svn, .venv, venv, .yarn, .next, .turbo, .parcel-cache, __pycache__, and .svelte-kit folders no longer consider your .gitignore rules (#​17892)

v4.1.4

Compare Source

Added

• Add experimental @tailwindcss/oxide-wasm32-wasi target for running Tailwind in browser environments like StackBlitz (#​17558)

Fixed

• Ensure color-mix(…) polyfills do not cause used CSS variables to be removed (#​17555)
• Ensure color-mix(…) polyfills create fallbacks for theme variables that reference other theme variables (#​17562)
• Fix brace expansion in declining ranges like {10..0..5} and {0..10..-5} (#​17591)
• Work around a Chrome rendering bug when using the skew-* utilities (#​17627)
• Ensure container query variant names can contain hyphens (#​17628)
• Ensure shadow-inherit, inset-shadow-inherit, drop-shadow-inherit, and text-shadow-inherit inherit the shadow color (#​17647)
• Ensure compatibility with array tuples used in fontSize JS theme keys (#​17630)
• Ensure folders with binary file extensions in their names are scanned for utilities (#​17595)
• Upgrade: Convert fontSize array tuple syntax to CSS theme variables (#​17630)

v4.1.3

Compare Source

Fixed

• Show warning when using unsupported bare value data type in --value(…) (#​17464)
• PostCSS: Ensure changes to the input CSS file don't generate stale output when using Turbopack (#​17554)
• Ensure classes are detected in Ruby's %w syntax in Slim templates (#​17557)

v4.1.2

Compare Source

Fixed

• Don't rely on the presence of @layer base to polyfill @property (#​17506)
• Support setting multiple inset shadows as arbitrary values (#​17523)
• Fix drop-shadow-* utilities that are defined with multiple shadows (#​17515)
• PostCSS: Fix race condition when two changes are queued concurrently (#​17514)
• PostCSS: Ensure files containing @tailwind utilities are processed (#​17514)
• Ensure the color-mix(…) polyfill creates fallbacks even when using colors that cannot be statically analyzed (#​17513)
• Fix slow incremental builds with @tailwindcss/vite and @tailwindcss/postscss (especially on Windows) (#​17511)
• Vite: Fix missing CSS file in Qwik setups (#​17533)

v4.1.1

Compare Source

Fixed

• Handle ' syntax in ClojureScript when extracting classes (#​18888)
• Handle @variant inside @custom-variant (#​18885)
• Merge suggestions when using @utility (#​18900)
• Ensure that file system watchers created when using the CLI are always cleaned up (#​18905)
• Do not generate grid-column utilities when configuring grid-column-start or grid-column-end (#​18907)
• Do not generate grid-row utilities when configuring grid-row-start or grid-row-end (#​18907)
• Prevent duplicate CSS when overwriting a static utility with a theme key (#​18056)
• Show Lightning CSS warnings (if any) when optimizing/minifying (#​18918)
• Use default export condition for @tailwindcss/vite (#​18948)
• Re-throw errors from PostCSS nodes (#​18373)
• Detect classes in markdown inline directives (#​18967)
• Ensure files with only @theme produce no output when built (#​18979)
• Support Maud templates when extracting classes (#​18988)
• Upgrade: Do not migrate variant = 'outline' during upgrades (#​18922)
• Upgrade: Show version mismatch (if any) when running upgrade tool (#​19028)
• Upgrade: Ensure first class inside className is migrated (#​19031)
• Upgrade: Migrate classes inside *ClassName and *Class attributes (#​19031)

v4.1.0

Compare Source

Added

• Add details-content variant (#​15319)
• Add inverted-colors variant (#​11693)
• Add noscript variant (#​11929, #​17431)
• Add items-baseline-last and self-baseline-last utilities (#​13888, #​17476)
• Add pointer-none, pointer-coarse, and pointer-fine variants (#​16946)
• Add any-pointer-none, any-pointer-coarse, and any-pointer-fine variants (#​16941)
• Add safe alignment utilities (#​14607)
• Add user-valid and user-invalid variants (#​12370)
• Add wrap-anywhere, wrap-break-word, and wrap-normal utilities (#​12128)
• Add @source inline(…) and @source not inline(…) (#​17147)
• Add @source not "…" (#​17255)
• Add text-shadow-* utilities (#​17389)
• Add mask-* utilities (#​17134)
• Add bg-{position,size}-* utilities for arbitrary values (#​17432)
• Add shadow-*/<alpha>, inset-shadow-*/<alpha>, drop-shadow-*/<alpha>, and text-shadow-*/<alpha> utilities to control shadow opacity (#​17398, #​17434)
• Add drop-shadow-<color> utilities (#​17434)
• Improve compatibility with older versions of Safari and Firefox (#​17435)

Fixed

• Follow symlinks when resolving @source directives (#​17391)
• Don't scan ignored files for classes when changing an ignored file triggers a rebuild using @tailwindcss/cli (#​17255)
• Support negated content rules in legacy JavaScript configuration (#​17255)
• Interpret syntax like @("@​")md:… as @md:… in Razor files (#​17427)
• Disallow top-level braces, top-level semicolons, and unbalanced parentheses and brackets in arbitrary values (#​17361)
• Ensure the --theme(…) function still resolves to the CSS variables when using legacy JS plugins (#​17458)
• Detect used theme variables in CSS module files ([#​17433](https

---

Configuration

📅 Schedule: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Open in Overmind ↗

---

model|risks_v6
✨Encryption Key State Risk ✨KMS Key Creation

🔴 Change Signals

Routine 🔴 ▇▅▃▂▁ Multiple compute resources showing unusual weekly changes at 1 event/week for the last 2-3 months, which is infrequent compared to typical patterns.
Policies 🔴 ▃▂▁ Multiple infrastructure resources are showing unusual policy violations that may need review: an S3 bucket is missing required tags and does not have server-side encryption configured, and a security group allows SSH (port 22) access from anywhere (0.0.0.0/0).

View signals ↗

---

🔥 Risks

Simultaneous reassignment of both EC2 public endpoints will break external reachability and allowlists ‼️High Open Risk ↗
Both production EC2 instances are being updated in a way that will reassign their current AWS-generated public IP addresses and public DNS names, but the change does not introduce any stable public endpoint such as an Elastic IP, Route 53 record, or load balancer. AWS documents that automatically assigned public IPv4 addresses are not persistent across stop/start-style lifecycle changes and that the public hostname changes with the public IP, so any external dependency using the current addresses will be left pointing at stale endpoints.

When this plan applies, external monitoring targets, firewall allowlists, runbooks, ad-hoc client configurations, and any other out-of-band consumers of 35.179.137.86 / 18.175.147.19 or their corresponding ec2-...compute.amazonaws.com names will stop reaching the instances until they are manually updated. Because both public identities churn in the same change, there is no remaining stable endpoint for operators or external systems to fail over to, creating a simultaneous reachability and access-control break at the internet boundary.

---

🧠 Reasoning · ✔ 1 · ✖ 1

Simultaneous public IP/DNS churn risks breaking external consumers and access controls

Observations 1

Hypothesis

Both eu-west-2 EC2 instances are losing their existing public IPs and public DNS names in the same change, and there is no stable abstraction layer such as an ELB, Route53 record, or Elastic IP in front of them. Any external system that has stored these addresses directly (e.g., firewall allowlists, runbooks, SSM parameters, monitoring targets, ad-hoc client configs) will not be updated automatically by Terraform, so both endpoints may become unreachable simultaneously until every external consumer is reconfigured. This creates a cross-plan contract and observability risk at the security boundary, as external dependencies and access controls can silently drift or fail.

Investigation

Evidence Gathered

I first loaded the relevant organizational knowledge for compute, network security, high availability, security compliance, and the infrastructure quick reference. Two of those files are directly applicable here: aws-network-security explicitly says exposing individual EC2 instance public IPs directly is an anti-pattern and recommends Route 53 / ELB / CloudFront as the public abstraction layer, and security-compliance-requirements says EC2 instances must not be directly reachable from the internet at all. Those standards make public-endpoint churn and direct dependency on instance addresses a real concern in this environment, not just a generic best-practice warning.

I then queried both blast-radius EC2 instances. The current state confirms that both are live, running EC2 instances in eu-west-2a, both currently have directly assigned public IPv4 addresses and AWS-generated public DNS names, and neither is fronted by any stable endpoint resource in the blast radius. Instance 540044833068.eu-west-2.ec2-instance.i-09d6479fb9b97d123 currently uses public IP 35.179.137.86 / DNS ec2-35-179-137-86.eu-west-2.compute.amazonaws.com; instance 540044833068.eu-west-2.ec2-instance.i-0464c4413cb0c54aa currently uses public IP 18.175.147.19 / DNS ec2-18-175-147-19.eu-west-2.compute.amazonaws.com. The planned diffs for both resources replace those concrete values with (known after apply), which is strong evidence that Terraform is planning an operation that will cause both public identities to be reassigned.

To verify the semantics of that churn, I checked AWS documentation. AWS states that automatically assigned public IPv4 addresses are released and new ones assigned when an instance is stopped and started, and that if you need a persistent public address you should use an Elastic IP instead. AWS also notes that using dynamic DNS to map a stable name to a new instance public IP can take up to 24 hours to propagate on the internet, and that public hostnames are derived from the public IP, so when the public IP changes the public DNS name changes as well. This matches the proposed diffs exactly and confirms that the old public IPs and hostnames are not retained automatically. (docs.aws.amazon.com)

Impact Assessment

The direct blast radius is 2 production EC2 instances: api-207c90ee-api-server and api-server. Both are currently internet-addressable by ephemeral AWS-assigned public IP/DNS values, and both are being changed in the same plan. Because there is no evidence in the plan of an Elastic IP, Route 53 record, or load balancer being introduced, any external dependency that currently points at either public IP or AWS-generated hostname will break until it is manually updated to the new value. That includes monitoring targets, firewall allowlists, runbooks, ad-hoc client configs, and any cross-system integration that stored the current endpoint out of band.

The operational consequence is not an internal east-west outage inside the VPC, because both private IPs remain unchanged, but a security-boundary and reachability break for every external consumer that depends on the current public identities. The impact is amplified because both instances churn in the same change, so there is no surviving stable endpoint to fall back to. For production-tagged infrastructure, that means simultaneous loss of all currently known public entry points until every downstream consumer is rediscovered and reconfigured. The scope of disruption is therefore all external access paths that are not Terraform-managed in this plan, across both production instances.

Conclusion

I conclude the risk is real. The decisive evidence is that both running production EC2 instances are simultaneously losing AWS-assigned public IP/DNS identities, AWS documents those identities as non-persistent unless Elastic IPs are used, and the plan contains no stable abstraction layer to absorb that churn.

✔ Hypothesis proven

---

Simultaneous instance updates remove fallback endpoints and increase recovery complexity

Observations 1

Hypothesis

Both eu-west-2 EC2 instances are being updated in the same plan, so their direct-to-instance access endpoints (public IP/DNS or similar) change simultaneously. This removes any stable fallback host for emergency access, backup targets, or manual recovery workflows that relied on one instance remaining unchanged. Operators must update all direct consumers in a single window, which increases operational blast radius and makes rollback/recovery dependent on AWS control-plane actions and coordinated updates across all consumers.

Investigation

Evidence Gathered

I checked the only two resources in scope via blast-radius-query: 540044833068.eu-west-2.ec2-instance.i-0464c4413cb0c54aa and 540044833068.eu-west-2.ec2-instance.i-09d6479fb9b97d123. Both are currently running in eu-west-2a with stable private IPs (10.0.101.133 and 10.0.101.11) and currently have auto-assigned public IPv4 addresses and public DNS names. I also queried the full planned changes for both instances. The plan shows no concrete configuration change other than public_ip and public_dns becoming (known after apply).

I loaded the relevant organizational knowledge for compute and high availability, plus the infrastructure quick reference. The HA guidance does warn about simultaneous rollout blast radius and about recovery patterns that depend on control-plane actions, but it also requires evidence that the change actually introduces that risk for this workload. The quick reference is especially important here: it states the scale-test environment contains EC2 instances created for relationship density rather than real runtime use, but these two instances are not tagged as ovm-scale; they appear to be production-tagged instances, so I did not dismiss the concern on that basis.

I then checked AWS documentation. AWS documents that auto-assigned public IPv4 addresses are ephemeral and are replaced when an instance is stopped and started unless an Elastic IP is attached. AWS also documents that the private IP and ENI persist across stop/start, and that an Elastic IP is the mechanism for keeping a stable public address. This means the hypothesized address churn is a normal characteristic of these instances' current design, not a new failure mode introduced by this Terraform plan.

Impact Assessment

Directly affected resources: 2 EC2 instances, i-0464c4413cb0c54aa (api-server) and i-09d6479fb9b97d123 (api-207c90ee-api-server). Both would receive new public endpoints if the underlying apply path stops/starts or otherwise reprovisions them without preserving the auto-assigned public IPv4 addresses. However, the plan does not show any additional consumers, Route53 records, Elastic IP associations, load balancer attachments, backup targets, or other direct dependencies that rely on those public endpoints.

Because no downstream consumers are present in the blast radius and no related resources are changing, I could not verify the key claim that there is an operational workflow depending on one unchanged instance as a fallback host. The only concrete thing supported by evidence is that both instances use non-static public addresses today. That is already an inherent property of the current design. This plan may cause both ephemeral public addresses to be recalculated during apply, but there is no evidence that this creates a new outage, breaks a known dependency, or materially worsens recoverability beyond the baseline risk already present whenever these instances are restarted.

Conclusion

I conclude the risk is not real for this specific change. The plan only exposes already-ephemeral EC2 public IPs as (known after apply), and I found no evidence of a concrete dependency or fallback workflow that this change will break.

✖ Hypothesis disproven

---

💥 Blast Radius

Items 0

Edges 0

[github-actions]

✅ Auto-Approved

---

🟢 Decision

Auto-approved: All safety checks passed

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2)

---

📊 Signals Summary

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2)

---

📊 Signals Summary

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 1 high risk requiring review

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 1 · Medium 0 · Low 0

---

View full analysis in Overmind ↗