Skip to content

Stylelint has vulnerability in semver dependency

Low severity GitHub Reviewed Published Jul 6, 2023 in stylelint/stylelint • Updated Aug 16, 2024
Withdrawn This advisory was withdrawn on Jul 13, 2023

Package

npm stylelint (npm)

Affected versions

>= 8.0.0, < 15.10.1

Patched versions

15.10.1

Description

Summary

Our meow dependency (which we use for our CLI) depended on semver@5.7.1 . A vulnerability in this version of semver was recently identified and surfaced by npm audit:

Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw

Details

Original post by the reporter:

"my npm audit show the report

semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available

And my dependencies tree for semver show your package

├─┬ stylelint@15.9.0
│ └─┬ meow@9.0.0
│ └─┬ read-pkg-up@7.0.1
│ └─┬ read-pkg@5.2.0
│ └─┬ normalize-package-data@2.5.0
│ └── semver@5.7.1 deduped

I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."

Update your package to use the 'meow' version >=10"

PoC

N/A

Impact

We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.


⬇️ EDITED AFTER PUBLISHED ⬇️

Security fix backported to older semver versions

The same security fix has been backported to older semver versions of 5.x and 6.x. See the CVE-2022-25883 details.

So, you can fix this vulnerability by just updating semver in your project's dependency tree, instead of updating stylelint. For details, see the example:

package.json:

{
  "dependencies": {
    "stylelint": "15.10.0"
  }
}

Run npm audit (here is no alert for semver):

$ npm ci
...

$ npm audit
...
stylelint  8.0.0 - 15.10.0
Stylelint has vulnerability in semver dependency - https://github.com/advisories/GHSA-f7xj-rg7h-mc87
fix available via `npm audit fix --force`
Will install stylelint@15.10.1, which is outside the stated dependency range
node_modules/stylelint

1 low severity vulnerability
...

$ npm ls semver
...
└─┬ stylelint@15.10.0
  └─┬ meow@9.0.0
    ├─┬ normalize-package-data@3.0.3
    │ └── semver@7.5.4
    └─┬ read-pkg-up@7.0.1
      └─┬ read-pkg@5.2.0
        └─┬ normalize-package-data@2.5.0
          └── semver@5.7.2

References

@ybiquitous ybiquitous published to stylelint/stylelint Jul 6, 2023
Published to the GitHub Advisory Database Jul 7, 2023
Reviewed Jul 7, 2023
Withdrawn Jul 13, 2023
Last updated Aug 16, 2024

Severity

Low

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-f7xj-rg7h-mc87

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.