Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency stylelint to v15 [security] - autoclosed #277

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Jul 7, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
stylelint (source) ^13.13.1 -> ^15.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-f7xj-rg7h-mc87

Summary

Our meow dependency (which we use for our CLI) depended on semver@5.7.1 . A vulnerability in this version of semver was recently identified and surfaced by npm audit:

Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw

Details

Original post by the reporter:

"my npm audit show the report

semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available

And my dependencies tree for semver show your package

├─┬ stylelint@15.9.0
│ └─┬ meow@9.0.0
│ └─┬ read-pkg-up@7.0.1
│ └─┬ read-pkg@5.2.0
│ └─┬ normalize-package-data@2.5.0
│ └── semver@5.7.1 deduped

I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."

Update your package to use the 'meow' version >=10"

PoC

N/A

Impact

We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.


⬇️ EDITED AFTER PUBLISHED ⬇️

Security fix backported to older semver versions

The same security fix has been backported to older semver versions of 5.x and 6.x. See the CVE-2022-25883 details.

So, you can fix this vulnerability by just updating semver in your project's dependency tree, instead of updating stylelint. For details, see the example:

package.json:

{
  "dependencies": {
    "stylelint": "15.10.0"
  }
}

Run npm audit (here is no alert for semver):

$ npm ci
...

$ npm audit
...
stylelint  8.0.0 - 15.10.0
Stylelint has vulnerability in semver dependency - https://github.com/advisories/GHSA-f7xj-rg7h-mc87
fix available via `npm audit fix --force`
Will install stylelint@15.10.1, which is outside the stated dependency range
node_modules/stylelint

1 low severity vulnerability
...

$ npm ls semver
...
└─┬ stylelint@15.10.0
  └─┬ meow@9.0.0
    ├─┬ normalize-package-data@3.0.3
    │ └── semver@7.5.4
    └─┬ read-pkg-up@7.0.1
      └─┬ read-pkg@5.2.0
        └─┬ normalize-package-data@2.5.0
          └── semver@5.7.2

Release Notes

stylelint/stylelint (stylelint)

v15.10.1

Compare Source

v15.10.0

Compare Source

v15.9.0

Compare Source

  • Added: insideFunctions: {"function": int} to number-max-precision (#​6932) (@​romainmenke).
  • Fixed: declaration-block-no-redundant-longhand-properties autofix for border-radius shorthand (#​6958) (@​mattxwang).
  • Fixed: declaration-block-no-redundant-longhand-properties autofix for border-width shorthand (#​6956) (@​mattxwang).
  • Fixed: declaration-block-no-redundant-longhand-properties autofix for grid-column and grid-row (#​6957) (@​mattxwang).

v15.8.0

Compare Source

v15.7.0

Compare Source

v15.6.3

Compare Source

v15.6.2

Compare Source

v15.6.1

Compare Source

v15.6.0

Compare Source

  • Added: allowEmptyInput, cache, fix options to configuration object (#​6778) (@​mattxwang).
  • Added: ignore: ["with-var-inside"] to color-function-notation (#​6802) (@​mattxwang).
  • Fixed: declaration-block-no-duplicate-properties autofix for 3 or more duplicates (#​6801) (@​mattxwang).
  • Fixed: declaration-block-no-duplicate-properties false positives with option ignore: ["consecutive-duplicates-with-different-syntaxes"] (#​6797) (@​romainmenke).
  • Fixed: declaration-block-no-duplicate-properties syntax error (#​6792) (@​yoyo837).
  • Fixed: declaration-block-no-redundant-longhand-properties autofix for grid-template (#​6777) (@​mattxwang).
  • Fixed: function-url-quotes autofix for comments in SCSS function (#​6800) (@​ybiquitous).

v15.5.0

Compare Source

v15.4.0

Compare Source

v15.3.0

Compare Source

v15.2.0

Compare Source

v15.1.0

Compare Source

v15.0.0

Compare Source

Migrating to 15.0.0 guide.

v14.16.1

Compare Source

  • Fixed: customSyntax resolution with configBasedir (#​6536) (@​ybiquitous).
  • Fixed: declaration-block-no-duplicate-properties autofix for !important (#​6528) (@​sidx1024).
  • Fixed: function-no-unknown false positives for scroll, -webkit-gradient, color-stop, from, and to (#​6539) (@​Mouvedia).
  • Fixed: value-keyword-case false positives for mixed case ignoreFunctions option (#​6517) (@​kimulaco).
  • Fixed: unexpected output in Node.js API lint result when any rule contains disableFix: true (#​6543) (@​adrianjost).

v14.16.0

Compare Source

v14.15.0

Compare Source

v14.14.1

Compare Source

  • Fixed: declaration-block-no-redundant-longhand-properties false positives for inherit keyword (#​6419) (@​kimulaco).
  • Fixed: shorthand-property-no-redundant-values message to be consistent (#​6417) (@​fpetrakov).
  • Fixed: unit-no-unknown false positives for *vi & *vb viewport units (#​6428) (@​sidverma32).

v14.14.0

Compare Source

v14.13.0

Compare Source

v14.12.1

Compare Source

v14.12.0

Compare Source

v14.11.0

Compare Source

  • Added: ignoreAfterCombinators: [] to selector-max-universal (#​6275).
  • Fixed: createPlugin type definition (#​6264).
  • Fixed: alpha-value-notation false negatives for SVG properties (#​6284).
  • Fixed: keyframes-name-pattern false positives for interpolation (#​6265).
  • Fixed: selector-nested-pattern end positions (#​6259).
  • Fixed: selector-no-qualifying-type message, positions, and false positives (#​6260).
  • Fixed: selector-no-vendor-prefix end positions (#​6261).
  • Fixed: selector-pseudo-class-allowed-list end positions and message (#​6262).
  • Fixed: selector-pseudo-class-disallowed-list end positions and message (#​6263).
  • Fixed: selector-pseudo-element-allowed-list end positions and message (#​6270).
  • Fixed: selector-pseudo-element-disallowed-list end positions and message (#​6270).
  • Fixed: shorthand-property-no-redundant-values message (#​6272).
  • Fixed: time-min-milliseconds end positions (#​6273).

v14.10.0

Compare Source

  • Added: rule metadata to public LinterResult API (#​6166).
  • Added: longhand sub-properties of shorthand properties reference data to public API (#​6168).
  • Added: meta.fixable property to each rule (#​6181).
  • Added: support for loading custom formatter from package (#​6228).
  • Added: annotation-no-unknown rule (#​6155).
  • Added: keyframe-selector-notation rule (#​6164).
  • Added: percentage-unless-within-keyword-only-block primary option to keyframe-selector-notation (#​6194).
  • Added: github formatter (#​6150).
  • Added: tally to string and verbose formatters (#​6153).
  • Added: fixable status to verbose and github formatters (#​6183).
  • Added: invalid rule primary option message for false (#​6250).
  • Fixed: exit code when nothing is passed to stylelint command (#​6175).
  • Fixed: rule message function type to not require users to handle all kind of arguments (#​6147).
  • Fixed: at-rule-* end positions (#​6163).
  • Fixed: declaration-block-no-redundant-longhand-properties end positions (#​6219).
  • Fixed: declaration-property-value-allowed-list false positives for multiple match (#​6190).
  • Fixed: declaration-property-value-disallowed-list false negatives for multiple match (#​6188).
  • Fixed: named-grid-areas-no-invalid end positions (#​6205).
  • Fixed: no-descending-specificity false positives for pseudo-classes (#​6195).
  • Fixed: no-unknown-animations end positions (#​6221).
  • Fixed: no-unknown-animations false positives for SCSS interpolation (#​6185).
  • Fixed: number-max-precision end positions (#​6184).
  • Fixed: property-* end positions (#​6174).
  • Fixed: rule-selector-property-disallowed-list end positions (#​6222).
  • Fixed: selector-attribute-name-disallowed-list end positions (#​6223).
  • Fixed: selector-attribute-operator-allowed-list end positions (#​6224).
  • Fixed: selector-attribute-operator-disallowed-list end positions (#​6225).
  • Fixed: selector-attribute-quotes end positions (#​6226).
  • Fixed: selector-class-pattern end positions (#​6227).
  • Fixed: selector-combinator-allowed-list and selector-combinator-disallowed-list end positions (#​6229).
  • Fixed: selector-disallowed-list end positions (#​6230).
  • Fixed: selector-id-pattern end positions (#​6231).
  • Fixed: selector-not-notation end positions (#​6201).
  • Fixed: selector-pseudo-element-colon-notation end positions (#​6235).
  • Fixed: string-no-newline end positions (#​6218).
  • Fixed: unit-* start and end positions (#​6169).
  • Fixed: value-no-vendor-prefix end positions (#​6173).

v14.9.1

Compare Source

  • Fixed: selector-max-specificity false positives for :nth-child (#​6140).

v14.9.0

Compare Source

  • Added: import-notation rule (#​6102).
  • Fixed: no-duplicate-selectors false positives for SCSS/Less nested interpolations (#​6118).
  • Fixed: no-descending-specificity and selector-max-specificity false positives for :is() and :where() (#​6131).

v14.8.5

Compare Source

  • Fixed: no-duplicate-selectors false positives with Less syntax (#​6111).

v14.8.4

Compare Source

  • Fixed: no-duplicate-selectors error with non-standard selectors (#​6106).

v14.8.3

Compare Source

  • Fixed: at-rule-no-unknown false positives for @layer (#​6093).
  • Fixed: length-zero-no-unit autofix for .0 values (#​6098).
  • Fixed: media-feature-name-no-unknown false positives for display-mode (#​6073).
  • Fixed: no-descending-specificity end positions (#​6049).
  • Fixed: no-duplicate-* end positions (#​6047).
  • Fixed: no-invalid-* end positions (#​6072).
  • Fixed: no-invalid-position-at-import-rule false positives for @layer (#​6094).

v14.8.2

Compare Source

  • Fixed: function-calc-no-unspaced-operator false positives for non-standard variables (#​6053).
  • Fixed: selector-*-no-unknown end positions (#​6046).

v14.8.1

Compare Source

  • Fixed: declaration-block-no-* end positions that avoid errors (#​6040).
  • Fixed: function-calc-no-unspaced-operator false positives and memory leak (#​6045).
  • Fixed: named-grid-areas-no-invalid false positives for arealess templates (#​6042).

v14.8.0

Compare Source

  • Added: keyframe-block-no-duplicate-selectors rule (#​6024).
  • Added: property-*-list support for vendor prefixes (#​6025).
  • Fixed: at-rule-*-list end positions (#​6032).
  • Fixed: at-rule-no-unknown end positions (#​6026).
  • Fixed: function-linear-gradient-no-nonstandard-direction false negative about -ms-linear-gradient (#​6031).
  • Fixed: function-no-unknown end positions (#​6038).
  • Fixed: property-no-unknown end positions (#​6039).

v14.7.1

Compare Source

  • Fixed: a regression for /* stylelint-disable */ comments (#​6018).
  • Fixed: font-family-name-quotes false positives for ui-* generic system font keywords (#​6017).

v14.7.0

Compare Source

  • Added: ranges for warnings that can be used by formatters and integrations (#​5725).
  • Added: selector-not-notation rule (#​5975).
  • Fixed: font-weight-notation false positives for Sass functions and column position (#​6005).

v14.6.1

Compare Source

  • Fixed: custom-property-pattern TypeError for "Cannot destructure property..." (#​5982).
  • Fixed: selector-type-case false positives for SVG elements (#​5973).
  • Fixed: unit-no-unknown false positives for large/small/dynamic viewport units (#​5970).

v14.6.0

Compare Source

  • Added: declaration-property-max-values rule (#​5920).
  • Fixed: *-no-important column position (#​5957).
  • Fixed: custom-property-pattern false positives for interpolation in property name (#​5949).
  • Fixed: font-family-name-quotes column position (#​5955).
  • Fixed: selector-pseudo-*-no-unknown false positives and negatives (#​5959).
  • Fixed: selector-pseudo-class-no-unknown false positives and negatives (#​5956).

v14.5.3

Compare Source

  • Fixed: *-list invalid option warnings for strings (#​5934).

v14.5.2

Compare Source

  • Fixed: clarity of invalid option warning message for objects (#​5923).
  • Fixed: *-list false negatives for invalid options (#​5924).
  • Fixed: custom-property-pattern false positives for interpolation inside var() (#​5925).
  • Fixed: declaration-property-value-*-list column position (#​5926).

v14.5.1

Compare Source

  • Fixed: function-no-unknown ENOENT and TypeErrors (#​5916).
  • Fixed: function-no-unknown false positives for interpolation (#​5914).

v14.5.0

Compare Source

  • Added: ignoreFunctions: [] to function-no-unknown (#​5901).

v14.4.0

Compare Source

  • Added: function-no-unknown rule (#​5865).
  • Added: font-family-name-quotes autofix (#​5806).
  • Fixed: throwing more informative error when all input files are ignored (#​5709).
  • Fixed: custom-property-pattern false negatives for custom properties within var() (#​5867).
  • Fixed: no-descending-specificity parseError for double-slash comments within selector lists (#​5891).
  • Fixed: selector-pseudo-element-colon-notation false positives for escaped colons (#​5879).

v14.3.0

Compare Source

  • Added: support for meta.url to rules and plugins (#​5845).
  • Added: hyperlinks for rules to terminal output (#​5835).
  • Added: hyperlinks for plugins to terminal output (#​5859).
  • Added: ignore: ["rules"] / ["at-rules"] to block-opening-brace-*-after (#​5830).
  • Added: ignoreSelectors: [] to property-case (#​5822).
  • Added: ignoreFunctions: [] to unit-allowed-list (#​5857).
  • Added: camelCaseSvgKeywords to value-keyword-case - use this option if you want legacy camel case SVG keywords like currentColor (#​5849).
  • Fixed: font-family-no-missing-generic-family-keyword false positives for revert and revert-layer (#​5852).
  • Fixed: no-descending-specificity false positives for the ::-moz-focus-inner pseudo-element (#​5831).
  • Fixed: value-keyword-case false negatives for SVG keywords like currentcolor (#​5849).

v14.2.0

Compare Source

  • Added: cwd option to Node.js API (#​5721).
  • Added: resolveConfig option to Node.js API (#​5734).
  • Fixed: showing of incorrect missing package in customSyntax require handling (#​5763).
  • Fixed: color-function-notation false positives for variables and color functions (#​5793)
  • Fixed: color-named false positives for hex with alpha-channel and false negatives for modern syntax (#​5718).
  • Fixed: declaration-empty-line-before support for HTML files (#​5689).
  • Fixed: indentation TypeError for syntaxes that use Document node

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot changed the title chore(deps): update dependency stylelint to v15 [security] chore(deps): update dependency stylelint to v15 [security] - autoclosed Jul 13, 2023
@renovate renovate bot closed this Jul 13, 2023
@renovate renovate bot deleted the renovate/npm-stylelint-vulnerability branch July 13, 2023 17:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants