chore: update dependency stylelint to v15 [SECURITY] - abandoned

[renovate]

Update Request | Renovate Bot

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
stylelint (source)	^14.9.1 -> ^15.0.0

GitHub Vulnerability Alerts

GHSA-f7xj-rg7h-mc87

Summary

Our meow dependency (which we use for our CLI) depended on semver@5.7.1 . A vulnerability in this version of semver was recently identified and surfaced by npm audit:

Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw

Details

Original post by the reporter:

"my npm audit show the report

semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available

And my dependencies tree for semver show your package

├─┬ stylelint@15.9.0
│ └─┬ meow@9.0.0
│ └─┬ read-pkg-up@7.0.1
│ └─┬ read-pkg@5.2.0
│ └─┬ normalize-package-data@2.5.0
│ └── semver@5.7.1 deduped

I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."

Update your package to use the 'meow' version >=10"

PoC

N/A

Impact

We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.

---

Release Notes

stylelint/stylelint (stylelint)

v15.10.1

Compare Source

• Security: fix for semver vulnerability (#​7043) (@​romainmenke).
• Fixed: invalid option regression on Windows 10 (#​7043) (@​romainmenke).

v15.10.0

Compare Source

• Added: media-query-no-invalid (#​6963) (@​romainmenke).
• Added: support for JS objects with extends config option (#​6998) (@​fpetrakov).
• Fixed: inconsistent errored properties in stylelint.lint() return value (#​6983) (@​ybiquitous).
• Fixed: {selector,value}-no-vendor-prefix performance (#​7016) (@​jeddy3).
• Fixed: custom-property-pattern performance (#​7009) (@​jeddy3).
• Fixed: function-linear-gradient-no-nonstandard-direction false positives for <color-interpolation-method> (#​6987) (@​romainmenke).
• Fixed: function-name-case performance (#​7010) (@​jeddy3).
• Fixed: function-no-unknown performance (#​7004) (@​jeddy3).
• Fixed: function-url-quotes performance (#​7011) (@​jeddy3).
• Fixed: hue-degree-notation false negatives for oklch (#​7015) (@​romainmenke).
• Fixed: hue-degree-notation performance (#​7012) (@​jeddy3).
• Fixed: media-feature-name-no-unknown false positives for environment-blending, nav-controls, prefers-reduced-data, and video-color-gamut (#​6978) (@​romainmenke).
• Fixed: media-feature-name-no-vendor-prefix positions for *-device-pixel-ratio (#​6977) (@​romainmenke).
• Fixed: no-descending-specificity performance (#​7026) (@​romainmenke).
• Fixed: no-duplicate-at-import-rules false negatives for imports with supports and layer conditions (#​7001) (@​romainmenke).
• Fixed: selector-anb-no-unmatchable performance (#​7042) (@​romainmenke).
• Fixed: selector-id-pattern performance (#​7013) (@​jeddy3).
• Fixed: selector-pseudo-class-no-unknown false negatives for pseudo-elements with matching names (#​6964) (@​Mouvedia).
• Fixed: selector-pseudo-element-no-unknown performance (#​7007) (@​jeddy3).
• Fixed: selector-type-case performance (#​7041) (@​romainmenke).
• Fixed: selector-type-no-unknown performance (#​7027) (@​romainmenke).
• Fixed: unit-disallowed-list false negatives with percentages (#​7018) (@​romainmenke).

v15.9.0

Compare Source

• Added: insideFunctions: {"function": int} to number-max-precision (#​6932) (@​romainmenke).
• Fixed: declaration-block-no-redundant-longhand-properties autofix for border-radius shorthand (#​6958) (@​mattxwang).
• Fixed: declaration-block-no-redundant-longhand-properties autofix for border-width shorthand (#​6956) (@​mattxwang).
• Fixed: declaration-block-no-redundant-longhand-properties autofix for grid-column and grid-row (#​6957) (@​mattxwang).

v15.8.0

Compare Source

• Added: media-feature-name-value-no-unknown (#​6906) (@​romainmenke).
• Added: support for .mjs configuration files (#​6910) (@​ybiquitous).
• Fixed: --print-config description in CLI help (#​6914) (@​ybiquitous).
• Fixed: allowEmptyInput option in configuration files (#​6929) (@​ybiquitous).
• Fixed: custom-property-no-missing-var-function performance (#​6922) (@​romainmenke).
• Fixed: function-calc-no-unspaced-operator performance (#​6923) (@​romainmenke).
• Fixed: function-linear-gradient-no-nonstandard-direction performance (#​6924) (@​romainmenke).
• Fixed: function-no-unknown false positives for SCSS functions with namespace (#​6921) (@​romainmenke).
• Fixed: max-nesting-depth error for at-rules in Sass syntax (#​6909) (@​ybiquitous).
• Fixed: selector-anb-no-unmatchable performance (#​6925) (@​romainmenke).
• Fixed: remove v8-compile-cache dependency (#​6907) (@​ybiquitous).

v15.7.0

Compare Source

• Added: splitList: boolean to selector-nested-pattern (#​6896) (@​is2ei).
• Fixed: unit-no-unknown false positives for unicode-range descriptors (#​6892) (@​romainmenke).
• Fixed: segmentation fault errors for Cosmiconfig 8.2 (#​6902) (@​romainmenke).

v15.6.3

Compare Source

• Fixed: alpha-value-notation false positives for color() (#​6885) (@​romainmenke).
• Fixed: alpha-value-notation performance with improved benchmark script (#​6864) (@​romainmenke).
• Fixed: at-rule-property-required-list performance (#​6865) (@​romainmenke).
• Fixed: color-* performance (#​6868) (@​romainmenke).
• Fixed: length-zero-no-unit false positives on new math functions (#​6871) (@​romainmenke).
• Fixed: string formatter for unexpected truncation on non-ASCII characters (#​6861) (@​Max10240).
• Fixed: unit-no-unknown false positives for the second and subsequent image-set() with x descriptor (#​6879) (@​romainmenke).

v15.6.2

Compare Source

• Fixed: alpha-value-notation false negatives for oklab(), oklch(), and color() (#​6844) (@​romainmenke).
• Fixed: declaration-block-no-redundant-longhand-properties autofix with cubic-bezier() (#​6841) (@​romainmenke).
• Fixed: function-no-unknown false positives for unspaced operators against nested brackets (#​6842) (@​romainmenke).
• Fixed: function-url-quotes false positives for SCSS with() construct (#​6847) (@​ybiquitous).
• Fixed: media-feature-name-no-unknown false positives for not and or (#​6838) (@​romainmenke).

v15.6.1

Compare Source

• Fixed: declaration-block-no-redundant-longhand-properties autofix for transition (#​6815) (@​mattxwang).
• Fixed: github formatter for missing final newline (#​6822) (@​konomae).
• Fixed: selector-pseudo-class-no-unknown false positive for :modal (#​6811) (@​Yasir761).

v15.6.0

Compare Source

• Added: allowEmptyInput, cache, fix options to configuration object (#​6778) (@​mattxwang).
• Added: ignore: ["with-var-inside"] to color-function-notation (#​6802) (@​mattxwang).
• Fixed: declaration-block-no-duplicate-properties autofix for 3 or more duplicates (#​6801) (@​mattxwang).
• Fixed: declaration-block-no-duplicate-properties false positives with option ignore: ["consecutive-duplicates-with-different-syntaxes"] (#​6797) (@​romainmenke).
• Fixed: declaration-block-no-duplicate-properties syntax error (#​6792) (@​yoyo837).
• Fixed: declaration-block-no-redundant-longhand-properties autofix for grid-template (#​6777) (@​mattxwang).
• Fixed: function-url-quotes autofix for comments in SCSS function (#​6800) (@​ybiquitous).

v15.5.0

Compare Source

• Added: ignore: ["consecutive-duplicates-with-different-syntaxes"] to declaration-block-no-duplicate-properties (#​6772) (@​kimulaco).
• Added: ignoreProperties: [] to declaration-block-no-duplicate-custom-properties (#​6773) (@​mattxwang).
• Added: raw regex support to ignoreProperties for declaration-block-no-duplicate-properties (#​6764) (@​ybiquitous).
• Fixed: block-no-empty false positives with non-whitespace characters (#​6782) (@​ybiquitous).
• Fixed: color-function-notation false positives for namespaced imports (#​6774) (@​mattxwang).
• Fixed: custom-property-empty-line-before false positives for CSS-in-JS (#​6767) (@​ybiquitous).
• Fixed: media-feature-range-notation parse error (#​6760) (@​fpetrakov).
• Fixed: CLI help improvements (#​6783) (@​ybiquitous).

v15.4.0

Compare Source

• Added: --quiet-deprecation-warnings flag (#​6724) (@​mattxwang).
• Added: -c alias for --config (#​6720) (@​sidverma32).
• Added: media-feature-range-notation autofix (#​6742) (@​romainmenke).
• Added: no-unknown-custom-properties rule (#​6731) (@​jameschensmith).
• Fixed: function-url-quotes autofix for double-slash comments in SCSS maps (#​6745) (@​jgerigmeyer).
• Fixed: isPathIgnored() utility's performance (#​6728) (@​ybiquitous).
• Fixed: rule-selector-property-disallowed-list secondary options (#​6723) (@​mattxwang).
• Fixed: declaration-block-no-redundant-longhand-properties with basic keywords (#​6748) (@​mattxwang).
• Fixed: deprecation warnings for disabled rules (#​6747) (@​ybiquitous).

v15.3.0

Compare Source

• Added: configurationComment configuration property (#​6629) (@​ifitzpatrick).
• Added: selector-anb-no-unmatchable rule (#​6678) (@​mattxwang).
• Fixed: TypeScript error for CommonJS importing (#​6703) (@​remcohaszing).
• Fixed: *-no-redundant-* false negatives for inset shorthand (#​6699) (@​rayrw).
• Fixed: function-url-quotes autofix for multiple url() (#​6711) (@​ybiquitous).
• Fixed: value-keyword-case false positives for Level 4 system colours (#​6712) (@​thewilkybarkid).

v15.2.0

Compare Source

• Added: messageArgs to 76 rules (#​6589) (@​kizu).
• Fixed: TypeScript error to export Plugin and RuleContext (#​6664) (@​henryruhs).
• Fixed: overrides.extends order when including same rules (#​6660) (@​kuoruan).
• Fixed: annotation-no-unknown false positives for CSS-in-JS template literals (#​6666) (@​hudochenkov).
• Fixed: declaration-property-value-no-unknown false positives for at-rule descriptors (#​6669) (@​FloEdelmann).
• Fixed: declaration-property-value-no-unknown parse error for alpha(opacity=n) to report as violation (#​6650) (@​romainmenke).
• Fixed: function-name-case false positives for CSS-in-JS template literals (#​6666) (@​hudochenkov).
• Fixed: function-no-unknown false positives for CSS-in-JS template literals (#​6666) (@​hudochenkov).
• Fixed: unit-no-unknown false positives for CSS-in-JS template literals (#​6666) (@​hudochenkov).
• Fixed: value-keyword-case false positives for CSS-in-JS template literals (#​6666) (@​hudochenkov).

v15.1.0

Compare Source

• Added: declaration-block-no-redundant-longhand-properties autofix (#​6580) (@​mattxwang).
• Fixed: declaration-property-value-no-unknown false positives for env() (#​6646) (@​romainmenke).
• Fixed: function-calc-no-unspaced-operator TypeError on empty calc() (#​6634) (@​romainmenke).
• Fixed: inaccurate customSyntax inference (#​6645) (@​ybiquitous).

v15.0.0

Compare Source

Migrating to 15.0.0 guide.

• Removed: Node.js 12 support (#​6477) (@​ybiquitous). (BREAKING)
• Removed: support for processors (#​6479) (@​ybiquitous). (BREAKING)
• Removed: syntax option (#​6420) (@​fpetrakov). (BREAKING)
• Changed: extends in overrides to merge to be consistent with plugins behaviour (#​6380) (@​jasikpark). (BREAKING)
• Changed: type definitions to reorganize (#​6510) (@​ybiquitous). (BREAKING)
• Changed: type names to be more consistent (#​6503) (@​ybiquitous). (BREAKING)
• Deprecated: stylistic rules handled by Prettier (#​6504) (@​ybiquitous).
• Added: declaration-property-value-no-unknown rule (#​6511) (@​jeddy3).
• Added: media-feature-name-unit-allowed-list rule (#​6550) (@​mattxwang).
• Added: function-url-quotes autofix (#​6558) (@​mattxwang).
• Added: ignore: ["custom-elements"] to selector-max-type (#​6588) (@​muddv).
• Added: ignoreFunctions: [] to unit-disallowed-list (#​6592) (@​mattxwang).
• Added: deprecated rule warnings (#​6561) (@​ybiquitous).
• Added: message arguments to declaration-property-unit-allowed-list (#​6570) (@​mattxwang).
• Fixed: overrides.files in config to allow basename glob patterns (#​6547) (@​ybiquitous).
• Fixed: at-rule-no-unknown false positives for @scroll-timeline (#​6554) (@​mattxwang).
• Fixed: function-no-unknown false positives for interpolation and backticks in CSS-in-JS (#​6565) (@​hudochenkov).
• Fixed: keyframe-selector-notation false positives for named timeline ranges (#​6605) (@​kimulaco).
• Fixed: property-no-unknown false negatives for newer custom syntaxes (#​6553) (@​43081j).
• Fixed: selector-attribute-quotes false positives for "never" (#​6571) (@​mattxwang).
• Fixed: selector-not-notation autofix for "simple" option (#​6608) (@​Mouvedia).

v14.16.1

Compare Source

• Fixed: customSyntax resolution with configBasedir (#​6536) (@​ybiquitous).
• Fixed: declaration-block-no-duplicate-properties autofix for !important (#​6528) (@​sidx1024).
• Fixed: function-no-unknown false positives for scroll, -webkit-gradient, color-stop, from, and to (#​6539) (@​Mouvedia).
• Fixed: value-keyword-case false positives for mixed case ignoreFunctions option (#​6517) (@​kimulaco).
• Fixed: unexpected output in Node.js API lint result when any rule contains disableFix: true (#​6543) (@​adrianjost).

v14.16.0

Compare Source

• Added: media-feature-range-notation rule (#​6497) (@​jeddy3).
• Added: support for plugin objects as config values (#​6481) (@​phoenisx).
• Fixed: incorrect output by all formatters except for json (#​6480) (@​ybiquitous).

v14.15.0

Compare Source

• Added: --globby-options flag (#​6437) (@​sidverma32).
• Added: custom message formatting for at-rule-disallowed-list, declaration-property-unit-disallowed-list, declaration-property-value-disallowed-list, function-disallowed-list, and property-disallowed-list (#​6463) (@​chloerice).
• Added: support autofix with checkAgainstRule (#​6466) (@​aaronccasanova).
• Added: support for reporting with custom severity (#​6444) (@​aaronccasanova).
• Added: support to checkAgainstRule with custom rules (#​6460) (@​aaronccasanova).
• Fixed: tally output of string formatter colorized (#​6443) (@​ybiquitous).
• Fixed: usage of the import-lazy package to fit bundlers (#​6449) (@​phoenisx).

v14.14.1

Compare Source

• Fixed: declaration-block-no-redundant-longhand-properties false positives for inherit keyword (#​6419) (@​kimulaco).
• Fixed: shorthand-property-no-redundant-values message to be consistent (#​6417) (@​fpetrakov).
• Fixed: unit-no-unknown false positives for *vi & *vb viewport units (#​6428) (@​sidverma32).

v14.14.0

Compare Source

• Added: *-pattern custom message formatting (#​6391) (@​ybiquitous).
• Fixed: block-no-empty false positives for reportNeedlessDisables (#​6381) (@​ybiquitous).
• Fixed: printf-like formatting for custom messages (#​6389) (@​ybiquitous).
• Fixed: unit-no-unknown false positives for font-relative length units (#​6374) (@​ybiquitous).
• Fixed: false negatives on second run for cache and severity option (#​6384) (@​kimulaco).
• Fixed: TS compilation error due to needless file-entry-cache import (#​6393) (@​adidahiya).

v14.13.0

Compare Source

• Added: cacheStrategy option (#​6357) (@​kaorun343).
• Fixed: cache refresh when config is changed (#​6356) (@​kimulaco).
• Fixed: selector-pseudo-element-no-unknown false positives for ::highlight pseudo-element (#​6367) (@​jathak).

v14.12.1

Compare Source

• Fixed: font-weight-notation messages (#​6350) (@​ybiquitous).
• Fixed: type declarations for custom message arguments (#​6354) (@​stof).

v14.12.0

Compare Source

• Added: support for multiple --ignore-path flags (#​6345) (@​kimulaco).
• Added: experimental support for custom message arguments (#​6312) (@​ybiquitous).
• Added: declaration-block-no-duplicate-properties autofix (#​6296) (@​fpetrakov).
• Added: font-weight-notation autofix (#​6347) (@​ybiquitous).
• Added: ignore: ["inside-block"] and splitList to selector-disallowed-list (#​6334) (@​mattmanuel90).
• Added: regex support for ignorePseudoClasses option of selector-pseudo-class-no-unknown (#​6316) (@​ybiquitous).
• Added: regex support for ignorePseudoElements option of selector-pseudo-element-no-unknown (#​6317) (@​ybiquitous).
• Added: regex support for ignoreSelectors option of selector-no-vendor-prefix (#​6327) (@​ybiquitous).
• Added: regex support for ignoreTypes option of selector-type-case (#​6326) (@​ybiquitous).
• Fixed: *-no-unknown false positives for container queries (#​6318) (@​fpetrakov).
• Fixed: font-family-name-quotes false positives for interpolation and shorthand (#​6335) (@​kimulaco).
• Fixed: time-min-milliseconds incorrect location for matching violating times (#​6319) (@​kawaguchi1102).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions]

🦙 MegaLinter status: ⚠️ WARNING

Descriptor	Linter	Files	Fixed	Errors	Elapsed time
✅ ACTION	actionlint	8		0	0.06s
✅ MARKDOWN	markdownlint	17	0	0	0.3s
✅ MARKDOWN	markdown-link-check	17		0	17.93s
✅ MARKDOWN	markdown-table-formatter	17	1	0	0.26s
✅ XML	xmllint	5	0	0	0.02s
⚠️ YAML	prettier	12	0	1	0.36s

See detailed report in MegaLinter reports

MegaLinter is graciously provided by

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.