chore(deps): update dependency stylelint to v15.10.1 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
stylelint (source)	15.1.0 -> 15.10.1

GitHub Vulnerability Alerts

GHSA-f7xj-rg7h-mc87

Summary

Our meow dependency (which we use for our CLI) depended on semver@5.7.1 . A vulnerability in this version of semver was recently identified and surfaced by npm audit:

Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw

Details

Original post by the reporter:

"my npm audit show the report

semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available

And my dependencies tree for semver show your package

├─┬ stylelint@15.9.0
│ └─┬ meow@9.0.0
│ └─┬ read-pkg-up@7.0.1
│ └─┬ read-pkg@5.2.0
│ └─┬ normalize-package-data@2.5.0
│ └── semver@5.7.1 deduped

I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."

Update your package to use the 'meow' version >=10"

PoC

N/A

Impact

We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.

---

⬇️ EDITED AFTER PUBLISHED ⬇️

Security fix backported to older semver versions

The same security fix has been backported to older semver versions of 5.x and 6.x. See the CVE-2022-25883 details.

So, you can fix this vulnerability by just updating semver in your project's dependency tree, instead of updating stylelint. For details, see the example:

package.json:

{
  "dependencies": {
    "stylelint": "15.10.0"
  }
}

Run npm audit (here is no alert for semver):

$ npm ci
...

$ npm audit
...
stylelint  8.0.0 - 15.10.0
Stylelint has vulnerability in semver dependency - https://github.com/advisories/GHSA-f7xj-rg7h-mc87
fix available via `npm audit fix --force`
Will install stylelint@15.10.1, which is outside the stated dependency range
node_modules/stylelint

1 low severity vulnerability
...

$ npm ls semver
...
└─┬ stylelint@15.10.0
  └─┬ meow@9.0.0
    ├─┬ normalize-package-data@3.0.3
    │ └── semver@7.5.4
    └─┬ read-pkg-up@7.0.1
      └─┬ read-pkg@5.2.0
        └─┬ normalize-package-data@2.5.0
          └── semver@5.7.2

---

Release Notes

stylelint/stylelint (stylelint)

v15.10.1

Compare Source

• Security: fix for semver vulnerability (#​7043) (@​romainmenke).
• Fixed: invalid option regression on Windows 10 (#​7043) (@​romainmenke).

v15.10.0

Compare Source

• Added: media-query-no-invalid (#​6963) (@​romainmenke).
• Added: support for JS objects with extends config option (#​6998) (@​fpetrakov).
• Fixed: inconsistent errored properties in stylelint.lint() return value (#​6983) (@​ybiquitous).
• Fixed: {selector,value}-no-vendor-prefix performance (#​7016) (@​jeddy3).
• Fixed: custom-property-pattern performance (#​7009) (@​jeddy3).
• Fixed: function-linear-gradient-no-nonstandard-direction false positives for <color-interpolation-method> (#​6987) (@​romainmenke).
• Fixed: function-name-case performance (#​7010) (@​jeddy3).
• Fixed: function-no-unknown performance (#​7004) (@​jeddy3).
• Fixed: function-url-quotes performance (#​7011) (@​jeddy3).
• Fixed: hue-degree-notation false negatives for oklch (#​7015) (@​romainmenke).
• Fixed: hue-degree-notation performance (#​7012) (@​jeddy3).
• Fixed: media-feature-name-no-unknown false positives for environment-blending, nav-controls, prefers-reduced-data, and video-color-gamut (#​6978) (@​romainmenke).
• Fixed: media-feature-name-no-vendor-prefix positions for *-device-pixel-ratio (#​6977) (@​romainmenke).
• Fixed: no-descending-specificity performance (#​7026) (@​romainmenke).
• Fixed: no-duplicate-at-import-rules false negatives for imports with supports and layer conditions (#​7001) (@​romainmenke).
• Fixed: selector-anb-no-unmatchable performance (#​7042) (@​romainmenke).
• Fixed: selector-id-pattern performance (#​7013) (@​jeddy3).
• Fixed: selector-pseudo-class-no-unknown false negatives for pseudo-elements with matching names (#​6964) (@​Mouvedia).
• Fixed: selector-pseudo-element-no-unknown performance (#​7007) (@​jeddy3).
• Fixed: selector-type-case performance (#​7041) (@​romainmenke).
• Fixed: selector-type-no-unknown performance (#​7027) (@​romainmenke).
• Fixed: unit-disallowed-list false negatives with percentages (#​7018) (@​romainmenke).

v15.9.0

Compare Source

• Added: insideFunctions: {"function": int} to number-max-precision (#​6932) (@​romainmenke).
• Fixed: declaration-block-no-redundant-longhand-properties autofix for border-radius shorthand (#​6958) (@​mattxwang).
• Fixed: declaration-block-no-redundant-longhand-properties autofix for border-width shorthand (#​6956) (@​mattxwang).
• Fixed: declaration-block-no-redundant-longhand-properties autofix for grid-column and grid-row (#​6957) (@​mattxwang).

v15.8.0

Compare Source

• Added: media-feature-name-value-no-unknown (#​6906) (@​romainmenke).
• Added: support for .mjs configuration files (#​6910) (@​ybiquitous).
• Fixed: --print-config description in CLI help (#​6914) (@​ybiquitous).
• Fixed: allowEmptyInput option in configuration files (#​6929) (@​ybiquitous).
• Fixed: custom-property-no-missing-var-function performance (#​6922) (@​romainmenke).
• Fixed: function-calc-no-unspaced-operator performance (#​6923) (@​romainmenke).
• Fixed: function-linear-gradient-no-nonstandard-direction performance (#​6924) (@​romainmenke).
• Fixed: function-no-unknown false positives for SCSS functions with namespace (#​6921) (@​romainmenke).
• Fixed: max-nesting-depth error for at-rules in Sass syntax (#​6909) (@​ybiquitous).
• Fixed: selector-anb-no-unmatchable performance (#​6925) (@​romainmenke).
• Fixed: remove v8-compile-cache dependency (#​6907) (@​ybiquitous).

v15.7.0

Compare Source

• Added: splitList: boolean to selector-nested-pattern (#​6896) (@​is2ei).
• Fixed: unit-no-unknown false positives for unicode-range descriptors (#​6892) (@​romainmenke).
• Fixed: segmentation fault errors for Cosmiconfig 8.2 (#​6902) (@​romainmenke).

v15.6.3

Compare Source

• Fixed: alpha-value-notation false positives for color() (#​6885) (@​romainmenke).
• Fixed: alpha-value-notation performance with improved benchmark script (#​6864) (@​romainmenke).
• Fixed: at-rule-property-required-list performance (#​6865) (@​romainmenke).
• Fixed: color-* performance (#​6868) (@​romainmenke).
• Fixed: length-zero-no-unit false positives on new math functions (#​6871) (@​romainmenke).
• Fixed: string formatter for unexpected truncation on non-ASCII characters (#​6861) (@​Max10240).
• Fixed: unit-no-unknown false positives for the second and subsequent image-set() with x descriptor (#​6879) (@​romainmenke).

v15.6.2

Compare Source

• Fixed: alpha-value-notation false negatives for oklab(), oklch(), and color() (#​6844) (@​romainmenke).
• Fixed: declaration-block-no-redundant-longhand-properties autofix with cubic-bezier() (#​6841) (@​romainmenke).
• Fixed: function-no-unknown false positives for unspaced operators against nested brackets (#​6842) (@​romainmenke).
• Fixed: function-url-quotes false positives for SCSS with() construct (#​6847) (@​ybiquitous).
• Fixed: media-feature-name-no-unknown false positives for not and or (#​6838) (@​romainmenke).

v15.6.1

Compare Source

• Fixed: declaration-block-no-redundant-longhand-properties autofix for transition (#​6815) (@​mattxwang).
• Fixed: github formatter for missing final newline (#​6822) (@​konomae).
• Fixed: selector-pseudo-class-no-unknown false positive for :modal (#​6811) (@​Yasir761).

v15.6.0

Compare Source

• Added: allowEmptyInput, cache, fix options to configuration object (#​6778) (@​mattxwang).
• Added: ignore: ["with-var-inside"] to color-function-notation (#​6802) (@​mattxwang).
• Fixed: declaration-block-no-duplicate-properties autofix for 3 or more duplicates (#​6801) (@​mattxwang).
• Fixed: declaration-block-no-duplicate-properties false positives with option ignore: ["consecutive-duplicates-with-different-syntaxes"] (#​6797) (@​romainmenke).
• Fixed: declaration-block-no-duplicate-properties syntax error (#​6792) (@​yoyo837).
• Fixed: declaration-block-no-redundant-longhand-properties autofix for grid-template (#​6777) (@​mattxwang).
• Fixed: function-url-quotes autofix for comments in SCSS function (#​6800) (@​ybiquitous).

v15.5.0

Compare Source

• Added: ignore: ["consecutive-duplicates-with-different-syntaxes"] to declaration-block-no-duplicate-properties (#​6772) (@​kimulaco).
• Added: ignoreProperties: [] to declaration-block-no-duplicate-custom-properties (#​6773) (@​mattxwang).
• Added: raw regex support to ignoreProperties for declaration-block-no-duplicate-properties (#​6764) (@​ybiquitous).
• Fixed: block-no-empty false positives with non-whitespace characters (#​6782) (@​ybiquitous).
• Fixed: color-function-notation false positives for namespaced imports (#​6774) (@​mattxwang).
• Fixed: custom-property-empty-line-before false positives for CSS-in-JS (#​6767) (@​ybiquitous).
• Fixed: media-feature-range-notation parse error (#​6760) (@​fpetrakov).
• Fixed: CLI help improvements (#​6783) (@​ybiquitous).

v15.4.0

Compare Source

• Added: --quiet-deprecation-warnings flag (#​6724) (@​mattxwang).
• Added: -c alias for --config (#​6720) (@​sidverma32).
• Added: media-feature-range-notation autofix (#​6742) (@​romainmenke).
• Added: no-unknown-custom-properties rule (#​6731) (@​jameschensmith).
• Fixed: function-url-quotes autofix for double-slash comments in SCSS maps (#​6745) (@​jgerigmeyer).
• Fixed: isPathIgnored() utility's performance (#​6728) (@​ybiquitous).
• Fixed: rule-selector-property-disallowed-list secondary options (#​6723) (@​mattxwang).
• Fixed: declaration-block-no-redundant-longhand-properties with basic keywords (#​6748) (@​mattxwang).
• Fixed: deprecation warnings for disabled rules (#​6747) (@​ybiquitous).

v15.3.0

Compare Source

• Added: configurationComment configuration property (#​6629) (@​ifitzpatrick).
• Added: selector-anb-no-unmatchable rule (#​6678) (@​mattxwang).
• Fixed: TypeScript error for CommonJS importing (#​6703) (@​remcohaszing).
• Fixed: *-no-redundant-* false negatives for inset shorthand (#​6699) (@​rayrw).
• Fixed: function-url-quotes autofix for multiple url() (#​6711) (@​ybiquitous).
• Fixed: value-keyword-case false positives for Level 4 system colours (#​6712) (@​thewilkybarkid).

v15.2.0

Compare Source

• Added: messageArgs to 76 rules (#​6589) (@​kizu).
• Fixed: TypeScript error to export Plugin and RuleContext (#​6664) (@​henryruhs).
• Fixed: overrides.extends order when including same rules (#​6660) (@​kuoruan).
• Fixed: annotation-no-unknown false positives for CSS-in-JS template literals (#​6666) (@​hudochenkov).
• Fixed: declaration-property-value-no-unknown false positives for at-rule descriptors (#​6669) (@​FloEdelmann).
• Fixed: declaration-property-value-no-unknown parse error for alpha(opacity=n) to report as violation (#​6650) (@​romainmenke).
• Fixed: function-name-case false positives for CSS-in-JS template literals (#​6666) (@​hudochenkov).
• Fixed: function-no-unknown false positives for CSS-in-JS template literals (#​6666) (@​hudochenkov).
• Fixed: unit-no-unknown false positives for CSS-in-JS template literals (#​6666) (@​hudochenkov).
• Fixed: value-keyword-case false positives for CSS-in-JS template literals (#​6666) (@​hudochenkov).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.