Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency stylelint to v15.10.1 [security] #2671

Merged
merged 1 commit into from
Jul 8, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 8, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
stylelint (source) 15.3.0 -> 15.10.1 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-f7xj-rg7h-mc87

Summary

Our meow dependency (which we use for our CLI) depended on semver@5.7.1 . A vulnerability in this version of semver was recently identified and surfaced by npm audit:

Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw

Details

Original post by the reporter:

"my npm audit show the report

semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available

And my dependencies tree for semver show your package

├─┬ stylelint@15.9.0
│ └─┬ meow@9.0.0
│ └─┬ read-pkg-up@7.0.1
│ └─┬ read-pkg@5.2.0
│ └─┬ normalize-package-data@2.5.0
│ └── semver@5.7.1 deduped

I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."

Update your package to use the 'meow' version >=10"

PoC

N/A

Impact

We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.


Release Notes

stylelint/stylelint (stylelint)

v15.10.1

Compare Source

v15.10.0

Compare Source

v15.9.0

Compare Source

  • Added: insideFunctions: {"function": int} to number-max-precision (#​6932) (@​romainmenke).
  • Fixed: declaration-block-no-redundant-longhand-properties autofix for border-radius shorthand (#​6958) (@​mattxwang).
  • Fixed: declaration-block-no-redundant-longhand-properties autofix for border-width shorthand (#​6956) (@​mattxwang).
  • Fixed: declaration-block-no-redundant-longhand-properties autofix for grid-column and grid-row (#​6957) (@​mattxwang).

v15.8.0

Compare Source

v15.7.0

Compare Source

v15.6.3

Compare Source

v15.6.2

Compare Source

v15.6.1

Compare Source

v15.6.0

Compare Source

  • Added: allowEmptyInput, cache, fix options to configuration object (#​6778) (@​mattxwang).
  • Added: ignore: ["with-var-inside"] to color-function-notation (#​6802) (@​mattxwang).
  • Fixed: declaration-block-no-duplicate-properties autofix for 3 or more duplicates (#​6801) (@​mattxwang).
  • Fixed: declaration-block-no-duplicate-properties false positives with option ignore: ["consecutive-duplicates-with-different-syntaxes"] (#​6797) (@​romainmenke).
  • Fixed: declaration-block-no-duplicate-properties syntax error (#​6792) (@​yoyo837).
  • Fixed: declaration-block-no-redundant-longhand-properties autofix for grid-template (#​6777) (@​mattxwang).
  • Fixed: function-url-quotes autofix for comments in SCSS function (#​6800) (@​ybiquitous).

v15.5.0

Compare Source

v15.4.0

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the renovate label Jul 8, 2023
@renovate renovate bot merged commit c8bf26b into main Jul 8, 2023
@renovate renovate bot deleted the renovate/npm-stylelint-vulnerability branch July 8, 2023 03:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants