Gathering detailed insights and metrics for css-has-pseudo
Gathering detailed insights and metrics for css-has-pseudo
Installations
npm install css-has-pseudoDeveloper Guide
BETA
Typescript
Yes
Module System
ESM
Min. Node Version
>=18
Node Version
22.12.0
NPM Version
10.9.0
Releases
Unable to fetch releases
Languages
7
CSS
JavaScript
TypeScript
HTML
Nunjucks
Shell
SCSS
CSS (43.3%)
JavaScript (30.21%)
TypeScript (22.88%)
HTML (3.03%)
Nunjucks (0.48%)
Shell (0.1%)
Developer
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MIT-0 License
983 Stars
4,381 Commits
77 Forks
9 Watchers
4 Branches
132 Contributors
Updated on Jul 13, 2025
Sponsor this package
Maintainers
3
Package Meta Information
Latest Version
7.0.2
Package Id
css-has-pseudo@7.0.2
Unpacked Size
186.53 kB
Size
48.49 kB
File Count
13
NPM Version
10.9.0
Node Version
22.12.0
Published on
Dec 13, 2024
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Peer Dependencies
1
PostCSS Has Pseudo 
npm install css-has-pseudo --save-dev
PostCSS Has Pseudo lets you style elements relative to other elements in CSS, following the Selectors Level 4 specification.
To use this feature you need to do two things :
- add the PostCSS plugin that transforms the selector into a class or attribute
- add the browser polyfill that sets the attribute or class on elements in a browser
1.title:has(+ p) { 2 margin-bottom: 1.5rem; 3} 4 5/* becomes */ 6 7.js-has-pseudo [csstools-has-1a-38-2x-38-30-2t-1m-2w-2p-37-14-17-w-34-15]:not(does-not-exist) { 8 margin-bottom: 1.5rem; 9} 10.title:has(+ p) { 11 margin-bottom: 1.5rem; 12}
Usage
Add PostCSS Has Pseudo to your project:
1npm install postcss css-has-pseudo --save-dev
Use it as a PostCSS plugin:
1const postcss = require('postcss'); 2const postcssHasPseudo = require('css-has-pseudo'); 3 4postcss([ 5 postcssHasPseudo(/* pluginOptions */) 6]).process(YOUR_CSS /*, processOptions */);
Options
preserve
The preserve option determines whether the original notation
is preserved. By default the original rules are preserved.
1postcssHasPseudo({ preserve: false })
1.title:has(+ p) { 2 margin-bottom: 1.5rem; 3} 4 5/* becomes */ 6 7.js-has-pseudo [csstools-has-1a-38-2x-38-30-2t-1m-2w-2p-37-14-17-w-34-15]:not(does-not-exist) { 8 margin-bottom: 1.5rem; 9}
specificityMatchingName
The specificityMatchingName option allows you to change the selector that is used to adjust specificity.
The default value is does-not-exist.
If this is an actual class, id or tag name in your code, you will need to set a different option here.
See how :not is used to modify specificity.
1postcssHasPseudo({ specificityMatchingName: 'something-random' })Before :
1.x:has(> #a:hover) { 2 order: 11; 3}
After :
1[csstools-has-1a-3c-1m-2w-2p-37-14-1q-w-z-2p-1m-2w-33-3a-2t-36-15]:not(#does-not-exist):not(.does-not-exist) { 2 order: 11; 3}
⚠️ Known shortcomings
Performance
Determining which elements match a :has selector is relatively slow through a polyfill compared to the native feature.
A very large DOM or many and complex :has selectors can cause performance issues.
JavaScript frameworks that rewrite the DOM will be particularly affected by this.
Any contributions to speedup matching are welcome.
Please open an issue to discuss proposed changes if you are interested in contributing.
Specificity
:has transforms will result in at least one attribute selector with specificity 0, 1, 0.
If your selector only has tags we won't be able to match the original specificity.
Before :
1figure:has(> img)
After :
1[csstools-has-2u-2x-2v-39-36-2t-1m-2w-2p-37-14-1q-w-2x-31-2v-15]:not(does-not-exist):not(does-not-exist)
Plugin order
As selectors are encoded, this plugin (or postcss-preset-env) must be run after any other plugin that transforms selectors.
If other plugins are used, you need to place these in your config before postcss-preset-env or css-has-pseudo.
Please let us know if you have issues with plugins that transform selectors. Then we can investigate and maybe fix these.
Browser
1// initialize cssHasPseudo 2import cssHasPseudo from 'css-has-pseudo/browser'; 3cssHasPseudo(document);
or
1<!-- When using a CDN url you will have to manually update the version number --> 2<script src="https://unpkg.com/css-has-pseudo@7.0.2/dist/browser-global.js"></script> 3<script>cssHasPseudo(document)</script>
[!TIP] Please use a versioned url, like this :
https://unpkg.com/css-has-pseudo@7.0.2/dist/browser-global.jsWithout the version, you might unexpectedly get a new major version of the library with breaking changes.
PostCSS Has Pseudo works in all major browsers, including Internet Explorer 11. With a Mutation Observer polyfill, the script will work down to Internet Explorer 9.
Browser Usage
hover
The hover option determines if :hover pseudo-class should be tracked.
This is disabled by default because it is an expensive operation.
1cssHasPseudo(document, { hover: true });observedAttributes
The observedAttributes option determines which html attributes are observed.
If you do any client side modification of non-standard attributes and use these in combination with :has() you should add these here.
1cssHasPseudo(document, { observedAttributes: ['something-not-standard'] });forcePolyfill
The forcePolyfill option determines if the polyfill is used even when the browser has native support.
This is needed when you set preserve: false in the PostCSS plugin config.
1cssHasPseudo(document, { forcePolyfill: true });debug
The debug option determines if errors are emitted to the console in browser.
By default the polyfill will not emit errors or warnings.
1cssHasPseudo(document, { debug: true });Browser Dependencies
Web API's:
- MutationObserver
- requestAnimationFrame
- querySelectorAll with support for post CSS 2.1 selectors and
:scopeselectors.
ECMA Script:
Array.prototype.filterArray.prototype.forEachArray.prototype.indexOfArray.prototype.joinArray.prototype.mapArray.prototype.spliceRegExp.prototype.execString.prototype.matchString.prototype.replaceString.prototype.split
CORS
[!IMPORTANT] Applies to you if you load CSS from a different domain than the page.
In this case the CSS is treated as untrusted and will not be made available to the JavaScript polyfill. The polyfill will not work without applying the correct configuration for CORS.
Example :
| page | css | CORS applies |
|---|---|---|
| https://example.com/ | https://example.com/style.css | no |
| https://example.com/ | https://other.com/style.css | yes |
You might see one of these error messages :
Chrome :
DOMException: Failed to read the 'cssRules' property from 'CSSStyleSheet': Cannot access rules
Safari :
SecurityError: Not allowed to access cross-origin stylesheet
Firefox :
DOMException: CSSStyleSheet.cssRules getter: Not allowed to access cross-origin stylesheet
To resolve CORS errors you need to take two steps :
- add an HTTP header
Access-Control-Allow-Origin: <your-value>when serving your CSS file. - add
crossorigin="anonymous"to the<link rel="stylesheet">tag for your CSS file.
In a node server setting the HTTP header might look like this :
1// http://localhost:8080 is the domain of your page!
2res.setHeader('Access-Control-Allow-Origin', 'https://example.com');You can also configure a wildcard but please be aware that this might be a security risk. It is better to only set the header for the domain you want to allow and only on the responses you want to allow.
HTML might look like this :
1<link rel="stylesheet" href="https://example.com/styles.css" crossorigin="anonymous">
Using with Next.js
Given that Next.js imports packages both on the browser and on the server, you need to make sure that the package is only imported on the browser.
As outlined in the Next.js documentation, you need to load the package with a dynamic import:
1useEffect(async () => { 2 const cssHasPseudo = (await import('css-has-pseudo/browser')).default; 3 cssHasPseudo(document); 4}, []);
We recommend you load the polyfill as high up on your Next application as possible, such as your pages/_app.ts file.
How it works
The PostCSS Has Pseudo clones rules containing :has(),
replacing them with an alternative [csstools-has-] selector.
1.title:has(+ p) { 2 margin-bottom: 1.5rem; 3} 4 5/* becomes */ 6 7.js-has-pseudo [csstools-has-1a-38-2x-38-30-2t-1m-2w-2p-37-14-17-w-34-15]:not(does-not-exist) { 8 margin-bottom: 1.5rem; 9} 10.title:has(+ p) { 11 margin-bottom: 1.5rem; 12}
Next, the browser script adds a [:has] attribute to
elements otherwise matching :has natively.
1<div class="title" [csstools-has-1a-38-2x-38-30-2t-1m-2w-2p-37-14-17-w-34-15]> 2 <h1>A title block</h1> 3 <p>With an extra paragraph</p> 4</div>
No vulnerabilities found.
Reason
30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
license file detected
Details
- Info: project has a license file: LICENSE.md:0
- Info: FSF or OSI recognized license: MIT No Attribution: LICENSE.md:0
Reason
no binaries found in the repo
Reason
1 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
Reason
SAST tool detected but not run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Warn: 0 commits out of 9 are checked with a SAST tool
Reason
branch protection is not maximal on development and all release branches
Details
- Info: 'allow deletion' disabled on branch 'main'
- Info: 'force pushes' disabled on branch 'main'
- Info: 'branch protection settings apply to administrators' is required to merge on branch 'main'
- Warn: could not determine whether codeowners review is allowed
- Warn: no status checks found to merge onto branch 'main'
- Warn: PRs are not required to make changes on branch 'main'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/csstools/postcss-plugins/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/csstools/postcss-plugins/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/csstools/postcss-plugins/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/csstools/postcss-plugins/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-preset-env.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/csstools/postcss-plugins/deploy-preset-env.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-preset-env.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/csstools/postcss-plugins/deploy-preset-env.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/labeler.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/csstools/postcss-plugins/labeler.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/csstools/postcss-plugins/lint.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/csstools/postcss-plugins/lint.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/csstools/postcss-plugins/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/csstools/postcss-plugins/test.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/test.yml:98
- Info: 0 out of 11 GitHub-owned GitHubAction dependencies pinned
- Info: 6 out of 7 npmCommand dependencies pinned
Reason
Found 1/24 approved changesets -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/codeql.yml:1
- Warn: no topLevel permission defined: .github/workflows/deploy-preset-env.yml:1
- Warn: no topLevel permission defined: .github/workflows/labeler.yml:1
- Warn: no topLevel permission defined: .github/workflows/lint.yml:1
- Warn: no topLevel permission defined: .github/workflows/test.yml:1
- Info: no jobLevel write permissions found
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
5.8
/10
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More