security: npm audit fix for GHSA-hfm8-9jrf-7g9w et. al

Closes #1097

I'm not sure that this is required, but I'd sleep better at night not
finding out that it is required the hard way.

Signed-off-by: Xe Iaso <me@xeiaso.net>

package.json

@@ -22,13 +22,13 @@
     "cssnano-preset-advanced": "^7.0.9",
     "esbuild": "^0.25.9",
     "playwright": "^1.52.0",
-    "postcss-cli": "^11.0.1",
+    "postcss-cli": "^6.1.3",
     "postcss-import": "^16.1.1",
-    "postcss-import-url": "^7.2.0",
+    "postcss-import-url": "^1.0.0",
     "postcss-url": "^10.1.3"
   },
   "dependencies": {
     "@aws-crypto/sha256-js": "^5.2.0",
     "preact": "^10.27.1"
   }
-}
+}