chore(deps): update dependency stylelint to v15 [security] - autoclosed #277
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^13.13.1
->^15.0.0
GitHub Vulnerability Alerts
GHSA-f7xj-rg7h-mc87
Summary
Our
meow
dependency (which we use for our CLI) depended onsemver@5.7.1
. A vulnerability in this version ofsemver
was recently identified and surfaced bynpm audit
:Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
Details
Original post by the reporter:
"my npm audit show the report
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available
And my dependencies tree for semver show your package
├─┬ stylelint@15.9.0
│ └─┬ meow@9.0.0
│ └─┬ read-pkg-up@7.0.1
│ └─┬ read-pkg@5.2.0
│ └─┬ normalize-package-data@2.5.0
│ └── semver@5.7.1 deduped
I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."
Update your package to use the 'meow' version >=10"
PoC
N/A
Impact
We anticipate the impact to be low as Stylelint is a dev tool and
meow
is only used on the CLI pathway.⬇️ EDITED AFTER PUBLISHED ⬇️
Security fix backported to older
semver
versionsThe same security fix has been backported to older
semver
versions of 5.x and 6.x. See the CVE-2022-25883 details.So, you can fix this vulnerability by just updating
semver
in your project's dependency tree, instead of updatingstylelint
. For details, see the example:package.json
:Run
npm audit
(here is no alert forsemver
):Release Notes
stylelint/stylelint (stylelint)
v15.10.1
Compare Source
semver
vulnerability (#7043) (@romainmenke).v15.10.0
Compare Source
media-query-no-invalid
(#6963) (@romainmenke).extends
config option (#6998) (@fpetrakov).errored
properties instylelint.lint()
return value (#6983) (@ybiquitous).{selector,value}-no-vendor-prefix
performance (#7016) (@jeddy3).custom-property-pattern
performance (#7009) (@jeddy3).function-linear-gradient-no-nonstandard-direction
false positives for<color-interpolation-method>
(#6987) (@romainmenke).function-name-case
performance (#7010) (@jeddy3).function-no-unknown
performance (#7004) (@jeddy3).function-url-quotes
performance (#7011) (@jeddy3).hue-degree-notation
false negatives foroklch
(#7015) (@romainmenke).hue-degree-notation
performance (#7012) (@jeddy3).media-feature-name-no-unknown
false positives forenvironment-blending
,nav-controls
,prefers-reduced-data
, andvideo-color-gamut
(#6978) (@romainmenke).media-feature-name-no-vendor-prefix
positions for*-device-pixel-ratio
(#6977) (@romainmenke).no-descending-specificity
performance (#7026) (@romainmenke).no-duplicate-at-import-rules
false negatives for imports withsupports
andlayer
conditions (#7001) (@romainmenke).selector-anb-no-unmatchable
performance (#7042) (@romainmenke).selector-id-pattern
performance (#7013) (@jeddy3).selector-pseudo-class-no-unknown
false negatives for pseudo-elements with matching names (#6964) (@Mouvedia).selector-pseudo-element-no-unknown
performance (#7007) (@jeddy3).selector-type-case
performance (#7041) (@romainmenke).selector-type-no-unknown
performance (#7027) (@romainmenke).unit-disallowed-list
false negatives with percentages (#7018) (@romainmenke).v15.9.0
Compare Source
insideFunctions: {"function": int}
tonumber-max-precision
(#6932) (@romainmenke).declaration-block-no-redundant-longhand-properties
autofix forborder-radius
shorthand (#6958) (@mattxwang).declaration-block-no-redundant-longhand-properties
autofix forborder-width
shorthand (#6956) (@mattxwang).declaration-block-no-redundant-longhand-properties
autofix forgrid-column
andgrid-row
(#6957) (@mattxwang).v15.8.0
Compare Source
media-feature-name-value-no-unknown
(#6906) (@romainmenke)..mjs
configuration files (#6910) (@ybiquitous).--print-config
description in CLI help (#6914) (@ybiquitous).allowEmptyInput
option in configuration files (#6929) (@ybiquitous).custom-property-no-missing-var-function
performance (#6922) (@romainmenke).function-calc-no-unspaced-operator
performance (#6923) (@romainmenke).function-linear-gradient-no-nonstandard-direction
performance (#6924) (@romainmenke).function-no-unknown
false positives for SCSS functions with namespace (#6921) (@romainmenke).max-nesting-depth
error for at-rules in Sass syntax (#6909) (@ybiquitous).selector-anb-no-unmatchable
performance (#6925) (@romainmenke).v8-compile-cache
dependency (#6907) (@ybiquitous).v15.7.0
Compare Source
splitList: boolean
toselector-nested-pattern
(#6896) (@is2ei).unit-no-unknown
false positives forunicode-range
descriptors (#6892) (@romainmenke).v15.6.3
Compare Source
alpha-value-notation
false positives forcolor()
(#6885) (@romainmenke).alpha-value-notation
performance with improved benchmark script (#6864) (@romainmenke).at-rule-property-required-list
performance (#6865) (@romainmenke).color-*
performance (#6868) (@romainmenke).length-zero-no-unit
false positives on new math functions (#6871) (@romainmenke).string
formatter for unexpected truncation on non-ASCII characters (#6861) (@Max10240).unit-no-unknown
false positives for the second and subsequentimage-set()
withx
descriptor (#6879) (@romainmenke).v15.6.2
Compare Source
alpha-value-notation
false negatives foroklab()
,oklch()
, andcolor()
(#6844) (@romainmenke).declaration-block-no-redundant-longhand-properties
autofix withcubic-bezier()
(#6841) (@romainmenke).function-no-unknown
false positives for unspaced operators against nested brackets (#6842) (@romainmenke).function-url-quotes
false positives for SCSSwith()
construct (#6847) (@ybiquitous).media-feature-name-no-unknown
false positives fornot
andor
(#6838) (@romainmenke).v15.6.1
Compare Source
declaration-block-no-redundant-longhand-properties
autofix fortransition
(#6815) (@mattxwang).github
formatter for missing final newline (#6822) (@konomae).selector-pseudo-class-no-unknown
false positive for:modal
(#6811) (@Yasir761).v15.6.0
Compare Source
allowEmptyInput
,cache
,fix
options to configuration object (#6778) (@mattxwang).ignore: ["with-var-inside"]
tocolor-function-notation
(#6802) (@mattxwang).declaration-block-no-duplicate-properties
autofix for 3 or more duplicates (#6801) (@mattxwang).declaration-block-no-duplicate-properties
false positives with optionignore: ["consecutive-duplicates-with-different-syntaxes"]
(#6797) (@romainmenke).declaration-block-no-duplicate-properties
syntax error (#6792) (@yoyo837).declaration-block-no-redundant-longhand-properties
autofix forgrid-template
(#6777) (@mattxwang).function-url-quotes
autofix for comments in SCSS function (#6800) (@ybiquitous).v15.5.0
Compare Source
ignore: ["consecutive-duplicates-with-different-syntaxes"]
todeclaration-block-no-duplicate-properties
(#6772) (@kimulaco).ignoreProperties: []
todeclaration-block-no-duplicate-custom-properties
(#6773) (@mattxwang).ignoreProperties
fordeclaration-block-no-duplicate-properties
(#6764) (@ybiquitous).block-no-empty
false positives with non-whitespace characters (#6782) (@ybiquitous).color-function-notation
false positives for namespaced imports (#6774) (@mattxwang).custom-property-empty-line-before
false positives for CSS-in-JS (#6767) (@ybiquitous).media-feature-range-notation
parse error (#6760) (@fpetrakov).v15.4.0
Compare Source
--quiet-deprecation-warnings
flag (#6724) (@mattxwang).-c
alias for--config
(#6720) (@sidverma32).media-feature-range-notation
autofix (#6742) (@romainmenke).no-unknown-custom-properties
rule (#6731) (@jameschensmith).function-url-quotes
autofix for double-slash comments in SCSS maps (#6745) (@jgerigmeyer).isPathIgnored()
utility's performance (#6728) (@ybiquitous).rule-selector-property-disallowed-list
secondary options (#6723) (@mattxwang).declaration-block-no-redundant-longhand-properties
with basic keywords (#6748) (@mattxwang).v15.3.0
Compare Source
configurationComment
configuration property (#6629) (@ifitzpatrick).selector-anb-no-unmatchable
rule (#6678) (@mattxwang).*-no-redundant-*
false negatives forinset
shorthand (#6699) (@rayrw).function-url-quotes
autofix for multipleurl()
(#6711) (@ybiquitous).value-keyword-case
false positives for Level 4 system colours (#6712) (@thewilkybarkid).v15.2.0
Compare Source
messageArgs
to 76 rules (#6589) (@kizu).Plugin
andRuleContext
(#6664) (@henryruhs).overrides.extends
order when including same rules (#6660) (@kuoruan).annotation-no-unknown
false positives for CSS-in-JS template literals (#6666) (@hudochenkov).declaration-property-value-no-unknown
false positives for at-rule descriptors (#6669) (@FloEdelmann).declaration-property-value-no-unknown
parse error foralpha(opacity=n)
to report as violation (#6650) (@romainmenke).function-name-case
false positives for CSS-in-JS template literals (#6666) (@hudochenkov).function-no-unknown
false positives for CSS-in-JS template literals (#6666) (@hudochenkov).unit-no-unknown
false positives for CSS-in-JS template literals (#6666) (@hudochenkov).value-keyword-case
false positives for CSS-in-JS template literals (#6666) (@hudochenkov).v15.1.0
Compare Source
declaration-block-no-redundant-longhand-properties
autofix (#6580) (@mattxwang).declaration-property-value-no-unknown
false positives forenv()
(#6646) (@romainmenke).function-calc-no-unspaced-operator
TypeError on emptycalc()
(#6634) (@romainmenke).customSyntax
inference (#6645) (@ybiquitous).v15.0.0
Compare Source
Migrating to
15.0.0
guide.syntax
option (#6420) (@fpetrakov). (BREAKING)extends
inoverrides
to merge to be consistent withplugins
behaviour (#6380) (@jasikpark). (BREAKING)declaration-property-value-no-unknown
rule (#6511) (@jeddy3).media-feature-name-unit-allowed-list
rule (#6550) (@mattxwang).function-url-quotes
autofix (#6558) (@mattxwang).ignore: ["custom-elements"]
toselector-max-type
(#6588) (@muddv).ignoreFunctions: []
tounit-disallowed-list
(#6592) (@mattxwang).declaration-property-unit-allowed-list
(#6570) (@mattxwang).overrides.files
in config to allow basename glob patterns (#6547) (@ybiquitous).at-rule-no-unknown
false positives for@scroll-timeline
(#6554) (@mattxwang).function-no-unknown
false positives for interpolation and backticks in CSS-in-JS (#6565) (@hudochenkov).keyframe-selector-notation
false positives for named timeline ranges (#6605) (@kimulaco).property-no-unknown
false negatives for newer custom syntaxes (#6553) (@43081j).selector-attribute-quotes
false positives for "never" (#6571) (@mattxwang).selector-not-notation
autofix for "simple" option (#6608) (@Mouvedia).v14.16.1
Compare Source
customSyntax
resolution withconfigBasedir
(#6536) (@ybiquitous).declaration-block-no-duplicate-properties
autofix for!important
(#6528) (@sidx1024).function-no-unknown
false positives forscroll
,-webkit-gradient
,color-stop
,from
, andto
(#6539) (@Mouvedia).value-keyword-case
false positives for mixed caseignoreFunctions
option (#6517) (@kimulaco).output
in Node.js API lint result when any rule containsdisableFix: true
(#6543) (@adrianjost).v14.16.0
Compare Source
media-feature-range-notation
rule (#6497) (@jeddy3).json
(#6480) (@ybiquitous).v14.15.0
Compare Source
--globby-options
flag (#6437) (@sidverma32).at-rule-disallowed-list
,declaration-property-unit-disallowed-list
,declaration-property-value-disallowed-list
,function-disallowed-list
, andproperty-disallowed-list
(#6463) (@chloerice).checkAgainstRule
(#6466) (@aaronccasanova).checkAgainstRule
with custom rules (#6460) (@aaronccasanova).string
formatter colorized (#6443) (@ybiquitous).import-lazy
package to fit bundlers (#6449) (@phoenisx).v14.14.1
Compare Source
declaration-block-no-redundant-longhand-properties
false positives forinherit
keyword (#6419) (@kimulaco).shorthand-property-no-redundant-values
message to be consistent (#6417) (@fpetrakov).unit-no-unknown
false positives for*vi
&*vb
viewport units (#6428) (@sidverma32).v14.14.0
Compare Source
*-pattern
custom message formatting (#6391) (@ybiquitous).block-no-empty
false positives forreportNeedlessDisables
(#6381) (@ybiquitous).printf
-like formatting for custom messages (#6389) (@ybiquitous).unit-no-unknown
false positives for font-relative length units (#6374) (@ybiquitous).severity
option (#6384) (@kimulaco).file-entry-cache
import (#6393) (@adidahiya).v14.13.0
Compare Source
cacheStrategy
option (#6357) (@kaorun343).selector-pseudo-element-no-unknown
false positives for::highlight
pseudo-element (#6367) (@jathak).v14.12.1
Compare Source
font-weight-notation
messages (#6350) (@ybiquitous).v14.12.0
Compare Source
--ignore-path
flags (#6345) (@kimulaco).declaration-block-no-duplicate-properties
autofix (#6296) (@fpetrakov).font-weight-notation
autofix (#6347) (@ybiquitous).ignore: ["inside-block"]
andsplitList
toselector-disallowed-list
(#6334) (@mattmanuel90).ignorePseudoClasses
option ofselector-pseudo-class-no-unknown
(#6316) (@ybiquitous).ignorePseudoElements
option ofselector-pseudo-element-no-unknown
(#6317) (@ybiquitous).ignoreSelectors
option ofselector-no-vendor-prefix
(#6327) (@ybiquitous).ignoreTypes
option ofselector-type-case
(#6326) (@ybiquitous).*-no-unknown
false positives for container queries (#6318) (@fpetrakov).font-family-name-quotes
false positives for interpolation and shorthand (#6335) (@kimulaco).time-min-milliseconds
incorrect location for matching violating times (#6319) (@kawaguchi1102).v14.11.0
Compare Source
ignoreAfterCombinators: []
toselector-max-universal
(#6275).createPlugin
type definition (#6264).alpha-value-notation
false negatives for SVG properties (#6284).keyframes-name-pattern
false positives for interpolation (#6265).selector-nested-pattern
end positions (#6259).selector-no-qualifying-type
message, positions, and false positives (#6260).selector-no-vendor-prefix
end positions (#6261).selector-pseudo-class-allowed-list
end positions and message (#6262).selector-pseudo-class-disallowed-list
end positions and message (#6263).selector-pseudo-element-allowed-list
end positions and message (#6270).selector-pseudo-element-disallowed-list
end positions and message (#6270).shorthand-property-no-redundant-values
message (#6272).time-min-milliseconds
end positions (#6273).v14.10.0
Compare Source
LinterResult
API (#6166).meta.fixable
property to each rule (#6181).annotation-no-unknown
rule (#6155).keyframe-selector-notation
rule (#6164).percentage-unless-within-keyword-only-block
primary option tokeyframe-selector-notation
(#6194).github
formatter (#6150).string
andverbose
formatters (#6153).verbose
andgithub
formatters (#6183).false
(#6250).at-rule-*
end positions (#6163).declaration-block-no-redundant-longhand-properties
end positions (#6219).declaration-property-value-allowed-list
false positives for multiple match (#6190).declaration-property-value-disallowed-list
false negatives for multiple match (#6188).named-grid-areas-no-invalid
end positions (#6205).no-descending-specificity
false positives for pseudo-classes (#6195).no-unknown-animations
end positions (#6221).no-unknown-animations
false positives for SCSS interpolation (#6185).number-max-precision
end positions (#6184).property-*
end positions (#6174).rule-selector-property-disallowed-list
end positions (#6222).selector-attribute-name-disallowed-list
end positions (#6223).selector-attribute-operator-allowed-list
end positions (#6224).selector-attribute-operator-disallowed-list
end positions (#6225).selector-attribute-quotes
end positions (#6226).selector-class-pattern
end positions (#6227).selector-combinator-allowed-list
andselector-combinator-disallowed-list
end positions (#6229).selector-disallowed-list
end positions (#6230).selector-id-pattern
end positions (#6231).selector-not-notation
end positions (#6201).selector-pseudo-element-colon-notation
end positions (#6235).string-no-newline
end positions (#6218).unit-*
start and end positions (#6169).value-no-vendor-prefix
end positions (#6173).v14.9.1
Compare Source
selector-max-specificity
false positives for:nth-child
(#6140).v14.9.0
Compare Source
import-notation
rule (#6102).no-duplicate-selectors
false positives for SCSS/Less nested interpolations (#6118).no-descending-specificity
andselector-max-specificity
false positives for:is()
and:where()
(#6131).v14.8.5
Compare Source
no-duplicate-selectors
false positives with Less syntax (#6111).v14.8.4
Compare Source
no-duplicate-selectors
error with non-standard selectors (#6106).v14.8.3
Compare Source
at-rule-no-unknown
false positives for@layer
(#6093).length-zero-no-unit
autofix for.0
values (#6098).media-feature-name-no-unknown
false positives fordisplay-mode
(#6073).no-descending-specificity
end positions (#6049).no-duplicate-*
end positions (#6047).no-invalid-*
end positions (#6072).no-invalid-position-at-import-rule
false positives for@layer
(#6094).v14.8.2
Compare Source
function-calc-no-unspaced-operator
false positives for non-standard variables (#6053).selector-*-no-unknown
end positions (#6046).v14.8.1
Compare Source
declaration-block-no-*
end positions that avoid errors (#6040).function-calc-no-unspaced-operator
false positives and memory leak (#6045).named-grid-areas-no-invalid
false positives for arealess templates (#6042).v14.8.0
Compare Source
keyframe-block-no-duplicate-selectors
rule (#6024).property-*-list
support for vendor prefixes (#6025).at-rule-*-list
end positions (#6032).at-rule-no-unknown
end positions (#6026).function-linear-gradient-no-nonstandard-direction
false negative about-ms-linear-gradient
(#6031).function-no-unknown
end positions (#6038).property-no-unknown
end positions (#6039).v14.7.1
Compare Source
/* stylelint-disable */
comments (#6018).font-family-name-quotes
false positives forui-*
generic system font keywords (#6017).v14.7.0
Compare Source
selector-not-notation
rule (#5975).font-weight-notation
false positives for Sass functions and column position (#6005).v14.6.1
Compare Source
custom-property-pattern
TypeError for "Cannot destructure property..." (#5982).selector-type-case
false positives for SVG elements (#5973).unit-no-unknown
false positives for large/small/dynamic viewport units (#5970).v14.6.0
Compare Source
declaration-property-max-values
rule (#5920).*-no-important
column position (#5957).custom-property-pattern
false positives for interpolation in property name (#5949).font-family-name-quotes
column position (#5955).selector-pseudo-*-no-unknown
false positives and negatives (#5959).selector-pseudo-class-no-unknown
false positives and negatives (#5956).v14.5.3
Compare Source
*-list
invalid option warnings for strings (#5934).v14.5.2
Compare Source
*-list
false negatives for invalid options (#5924).custom-property-pattern
false positives for interpolation insidevar()
(#5925).declaration-property-value-*-list
column position (#5926).v14.5.1
Compare Source
function-no-unknown
ENOENT and TypeErrors (#5916).function-no-unknown
false positives for interpolation (#5914).v14.5.0
Compare Source
ignoreFunctions: []
tofunction-no-unknown
(#5901).v14.4.0
Compare Source
function-no-unknown
rule (#5865).font-family-name-quotes
autofix (#5806).custom-property-pattern
false negatives for custom properties withinvar()
(#5867).no-descending-specificity
parseError for double-slash comments within selector lists (#5891).selector-pseudo-element-colon-notation
false positives for escaped colons (#5879).v14.3.0
Compare Source
meta.url
to rules and plugins (#5845).ignore: ["rules"] / ["at-rules"]
toblock-opening-brace-*-after
(#5830).ignoreSelectors: []
toproperty-case
(#5822).ignoreFunctions: []
tounit-allowed-list
(#5857).camelCaseSvgKeywords
tovalue-keyword-case
- use this option if you want legacy camel case SVG keywords likecurrentColor
(#5849).font-family-no-missing-generic-family-keyword
false positives forrevert
andrevert-layer
(#5852).no-descending-specificity
false positives for the::-moz-focus-inner
pseudo-element (#5831).value-keyword-case
false negatives for SVG keywords likecurrentcolor
(#5849).v14.2.0
Compare Source
cwd
option to Node.js API (#5721).resolveConfig
option to Node.js API (#5734).customSyntax
require handling (#5763).color-function-notation
false positives for variables and color functions (#5793)color-named
false positives for hex with alpha-channel and false negatives for modern syntax (#5718).declaration-empty-line-before
support for HTML files (#5689).indentation
TypeError for syntaxes that use Document nodeConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.