chore(deps): update devdependency stylelint to v15 [security] - autoclosed #554
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^14.16.1
->^15.0.0
GitHub Vulnerability Alerts
GHSA-f7xj-rg7h-mc87
Summary
Our
meow
dependency (which we use for our CLI) depended onsemver@5.7.1
. A vulnerability in this version ofsemver
was recently identified and surfaced bynpm audit
:Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
Details
Original post by the reporter:
"my npm audit show the report
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available
And my dependencies tree for semver show your package
├─┬ stylelint@15.9.0
│ └─┬ meow@9.0.0
│ └─┬ read-pkg-up@7.0.1
│ └─┬ read-pkg@5.2.0
│ └─┬ normalize-package-data@2.5.0
│ └── semver@5.7.1 deduped
I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."
Update your package to use the 'meow' version >=10"
PoC
N/A
Impact
We anticipate the impact to be low as Stylelint is a dev tool and
meow
is only used on the CLI pathway.⬇️ EDITED AFTER PUBLISHED ⬇️
Security fix backported to older
semver
versionsThe same security fix has been backported to older
semver
versions of 5.x and 6.x. See the CVE-2022-25883 details.So, you can fix this vulnerability by just updating
semver
in your project's dependency tree, instead of updatingstylelint
. For details, see the example:package.json
:Run
npm audit
(here is no alert forsemver
):Release Notes
stylelint/stylelint (stylelint)
v15.10.1
Compare Source
semver
vulnerability (#7043) (@romainmenke).v15.10.0
Compare Source
media-query-no-invalid
(#6963) (@romainmenke).extends
config option (#6998) (@fpetrakov).errored
properties instylelint.lint()
return value (#6983) (@ybiquitous).{selector,value}-no-vendor-prefix
performance (#7016) (@jeddy3).custom-property-pattern
performance (#7009) (@jeddy3).function-linear-gradient-no-nonstandard-direction
false positives for<color-interpolation-method>
(#6987) (@romainmenke).function-name-case
performance (#7010) (@jeddy3).function-no-unknown
performance (#7004) (@jeddy3).function-url-quotes
performance (#7011) (@jeddy3).hue-degree-notation
false negatives foroklch
(#7015) (@romainmenke).hue-degree-notation
performance (#7012) (@jeddy3).media-feature-name-no-unknown
false positives forenvironment-blending
,nav-controls
,prefers-reduced-data
, andvideo-color-gamut
(#6978) (@romainmenke).media-feature-name-no-vendor-prefix
positions for*-device-pixel-ratio
(#6977) (@romainmenke).no-descending-specificity
performance (#7026) (@romainmenke).no-duplicate-at-import-rules
false negatives for imports withsupports
andlayer
conditions (#7001) (@romainmenke).selector-anb-no-unmatchable
performance (#7042) (@romainmenke).selector-id-pattern
performance (#7013) (@jeddy3).selector-pseudo-class-no-unknown
false negatives for pseudo-elements with matching names (#6964) (@Mouvedia).selector-pseudo-element-no-unknown
performance (#7007) (@jeddy3).selector-type-case
performance (#7041) (@romainmenke).selector-type-no-unknown
performance (#7027) (@romainmenke).unit-disallowed-list
false negatives with percentages (#7018) (@romainmenke).v15.9.0
Compare Source
insideFunctions: {"function": int}
tonumber-max-precision
(#6932) (@romainmenke).declaration-block-no-redundant-longhand-properties
autofix forborder-radius
shorthand (#6958) (@mattxwang).declaration-block-no-redundant-longhand-properties
autofix forborder-width
shorthand (#6956) (@mattxwang).declaration-block-no-redundant-longhand-properties
autofix forgrid-column
andgrid-row
(#6957) (@mattxwang).v15.8.0
Compare Source
media-feature-name-value-no-unknown
(#6906) (@romainmenke)..mjs
configuration files (#6910) (@ybiquitous).--print-config
description in CLI help (#6914) (@ybiquitous).allowEmptyInput
option in configuration files (#6929) (@ybiquitous).custom-property-no-missing-var-function
performance (#6922) (@romainmenke).function-calc-no-unspaced-operator
performance (#6923) (@romainmenke).function-linear-gradient-no-nonstandard-direction
performance (#6924) (@romainmenke).function-no-unknown
false positives for SCSS functions with namespace (#6921) (@romainmenke).max-nesting-depth
error for at-rules in Sass syntax (#6909) (@ybiquitous).selector-anb-no-unmatchable
performance (#6925) (@romainmenke).v8-compile-cache
dependency (#6907) (@ybiquitous).v15.7.0
Compare Source
splitList: boolean
toselector-nested-pattern
(#6896) (@is2ei).unit-no-unknown
false positives forunicode-range
descriptors (#6892) (@romainmenke).v15.6.3
Compare Source
alpha-value-notation
false positives forcolor()
(#6885) (@romainmenke).alpha-value-notation
performance with improved benchmark script (#6864) (@romainmenke).at-rule-property-required-list
performance (#6865) (@romainmenke).color-*
performance (#6868) (@romainmenke).length-zero-no-unit
false positives on new math functions (#6871) (@romainmenke).string
formatter for unexpected truncation on non-ASCII characters (#6861) (@Max10240).unit-no-unknown
false positives for the second and subsequentimage-set()
withx
descriptor (#6879) (@romainmenke).v15.6.2
Compare Source
alpha-value-notation
false negatives foroklab()
,oklch()
, andcolor()
(#6844) (@romainmenke).declaration-block-no-redundant-longhand-properties
autofix withcubic-bezier()
(#6841) (@romainmenke).function-no-unknown
false positives for unspaced operators against nested brackets (#6842) (@romainmenke).function-url-quotes
false positives for SCSSwith()
construct (#6847) (@ybiquitous).media-feature-name-no-unknown
false positives fornot
andor
(#6838) (@romainmenke).v15.6.1
Compare Source
declaration-block-no-redundant-longhand-properties
autofix fortransition
(#6815) (@mattxwang).github
formatter for missing final newline (#6822) (@konomae).selector-pseudo-class-no-unknown
false positive for:modal
(#6811) (@Yasir761).v15.6.0
Compare Source
allowEmptyInput
,cache
,fix
options to configuration object (#6778) (@mattxwang).ignore: ["with-var-inside"]
tocolor-function-notation
(#6802) (@mattxwang).declaration-block-no-duplicate-properties
autofix for 3 or more duplicates (#6801) (@mattxwang).declaration-block-no-duplicate-properties
false positives with optionignore: ["consecutive-duplicates-with-different-syntaxes"]
(#6797) (@romainmenke).declaration-block-no-duplicate-properties
syntax error (#6792) (@yoyo837).declaration-block-no-redundant-longhand-properties
autofix forgrid-template
(#6777) (@mattxwang).function-url-quotes
autofix for comments in SCSS function (#6800) (@ybiquitous).v15.5.0
Compare Source
ignore: ["consecutive-duplicates-with-different-syntaxes"]
todeclaration-block-no-duplicate-properties
(#6772) (@kimulaco).ignoreProperties: []
todeclaration-block-no-duplicate-custom-properties
(#6773) (@mattxwang).ignoreProperties
fordeclaration-block-no-duplicate-properties
(#6764) (@ybiquitous).block-no-empty
false positives with non-whitespace characters (#6782) (@ybiquitous).color-function-notation
false positives for namespaced imports (#6774) (@mattxwang).custom-property-empty-line-before
false positives for CSS-in-JS (#6767) (@ybiquitous).media-feature-range-notation
parse error (#6760) (@fpetrakov).v15.4.0
Compare Source
--quiet-deprecation-warnings
flag (#6724) (@mattxwang).-c
alias for--config
(#6720) (@sidverma32).media-feature-range-notation
autofix (#6742) (@romainmenke).no-unknown-custom-properties
rule (#6731) (@jameschensmith).function-url-quotes
autofix for double-slash comments in SCSS maps (#6745) (@jgerigmeyer).isPathIgnored()
utility's performance (#6728) (@ybiquitous).rule-selector-property-disallowed-list
secondary options (#6723) (@mattxwang).declaration-block-no-redundant-longhand-properties
with basic keywords (#6748) (@mattxwang).v15.3.0
Compare Source
configurationComment
configuration property (#6629) (@ifitzpatrick).selector-anb-no-unmatchable
rule (#6678) (@mattxwang).*-no-redundant-*
false negatives forinset
shorthand (#6699) (@rayrw).function-url-quotes
autofix for multipleurl()
(#6711) (@ybiquitous).value-keyword-case
false positives for Level 4 system colours (#6712) (@thewilkybarkid).v15.2.0
Compare Source
messageArgs
to 76 rules (#6589) (@kizu).Plugin
andRuleContext
(#6664) (@henryruhs).overrides.extends
order when including same rules (#6660) (@kuoruan).annotation-no-unknown
false positives for CSS-in-JS template literals (#6666) (@hudochenkov).declaration-property-value-no-unknown
false positives for at-rule descriptors (#6669) (@FloEdelmann).declaration-property-value-no-unknown
parse error foralpha(opacity=n)
to report as violation (#6650) (@romainmenke).function-name-case
false positives for CSS-in-JS template literals (#6666) (@hudochenkov).function-no-unknown
false positives for CSS-in-JS template literals (#6666) (@hudochenkov).unit-no-unknown
false positives for CSS-in-JS template literals (#6666) (@hudochenkov).value-keyword-case
false positives for CSS-in-JS template literals (#6666) (@hudochenkov).v15.1.0
Compare Source
declaration-block-no-redundant-longhand-properties
autofix (#6580) (@mattxwang).declaration-property-value-no-unknown
false positives forenv()
(#6646) (@romainmenke).function-calc-no-unspaced-operator
TypeError on emptycalc()
(#6634) (@romainmenke).customSyntax
inference (#6645) (@ybiquitous).v15.0.0
Compare Source
Migrating to
15.0.0
guide.syntax
option (#6420) (@fpetrakov). (BREAKING)extends
inoverrides
to merge to be consistent withplugins
behaviour (#6380) (@jasikpark). (BREAKING)declaration-property-value-no-unknown
rule (#6511) (@jeddy3).media-feature-name-unit-allowed-list
rule (#6550) (@mattxwang).function-url-quotes
autofix (#6558) (@mattxwang).ignore: ["custom-elements"]
toselector-max-type
(#6588) (@muddv).ignoreFunctions: []
tounit-disallowed-list
(#6592) (@mattxwang).declaration-property-unit-allowed-list
(#6570) (@mattxwang).overrides.files
in config to allow basename glob patterns (#6547) (@ybiquitous).at-rule-no-unknown
false positives for@scroll-timeline
(#6554) (@mattxwang).function-no-unknown
false positives for interpolation and backticks in CSS-in-JS (#6565) (@hudochenkov).keyframe-selector-notation
false positives for named timeline ranges (#6605) (@kimulaco).property-no-unknown
false negatives for newer custom syntaxes (#6553) (@43081j).selector-attribute-quotes
false positives for "never" (#6571) (@mattxwang).selector-not-notation
autofix for "simple" option (#6608) (@Mouvedia).Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.