New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release 15.10.1 #7050
Comments
Happy to kickstart the release process! |
Manually adds changelog entry; ref: #7050 --------- Co-authored-by: Matthew Wang <matt@matthewwang.me>
I've published the new version to NPM, have verified the new release, and have opened stylelint/stylelint.io#334. It's a bit past midnight for me now, so I might have to drop off before stylelint/stylelint.io#334 gets reviewed. In that case, happy to have someone else drive home the rest of the release; if not, I'll be up in about ~ 6-7 hours and can wrap the rest of it up. |
@mattxwang No problems. I'll take over soon. 👍🏼 |
All done! 🎉 I've published the advisory: GHSA-f7xj-rg7h-mc87 Thank you so much for your effort! 👏🏼 |
@mattxwang Thank you for getting the ball rolling! I've edited the advisory to:
|
Thanks everyone 💯 |
@jeddy3 Thanks for your follow-up! |
@ybiquitous unless there's an actual vulnerability in stylelint itself you should revoke GHSA-f7xj-rg7h-mc87 as the i.e. the patch for |
@G-Rath Thanks for the feedback. I'm glad to hear that |
@ybiquitous you can, but you have to contact GitHub support. If you're having trouble, I have a few contacts on the GitHub security team I can reach out to to see if they can help. |
@G-Rath Thanks. I've contacted GitHub support. I'll be sure to share the info if the request proceeds. @stylelint/owners You can see details of the request with our shared email address. |
@G-Rath @stylelint/owners I've received a response from GitHub support. They recommend keeping the advisory instead of withdrawing it because Stylelint users can get information about the Here's an excerpt of the response comment:
So, I've updated the advisory description, following the advice. Please check out the added section "Security fix backported to older |
@ybiquitous in that case can you update the advisory to reflect the versions of Stylelint that are able to use the patched versions of semver? (v5, v6, and v7 branches). It's not enough to just add a comment, because security tools like dependabot and |
Umm, it seems difficult. 🤔 I'll ask GitHub Support for more information. |
This is why I recommend just withdrawing the advisory completely 😅 What GitHub support have recommended is technically correct but it means you have to do the work of maintaining the stylelint advisory to ensure it is 100% accurate which now there are backports for If you withdraw your advisory though, the semver advisory (which reflects the exact versions that are vulnerability) will still be flagged for stylelint users but you won't have to maintain the stylelint advisory to reflect any changes that happen to the semver advisory... |
@G-Rath I asked GitHub support again, but unfortunately, it told me there was no way to suppress such alerts. 😓 As you commented, the current situation is not ideal, but I think we must tolerate it. Updating Instead, withdrawing the advisory published once may be a big problem. I'd like to see how it goes for a while. |
@ybiquitous you need to update the advisory to reflect the versions of stylelint that can pull in vulnerable versions of
No but it does create more work for folks like myself - this advisory has resulted in dozens of our repositories being flagged even though we can now patch
Withdrawing advisories is a well supported part of the system - there will be no problems in doing so. |
@G-Rath I'm afraid about your inconvenience, but I'd like to follow the recommendation by GitHub Support that we should not withdraw the advisory.
Just to confirm, can you close such alerts instead of accepting them? Not upgrading |
Their recommendation is based on the fact that there was a "vulnerability" - feel free to ask them what they think they should do now that the advisory no longer affects any version of stylelint.
While we do have that capability in our system for the short-term, it comes with a lot of red tape since we don't have a single client - so we've got a number of different security levels and folks that we engage with and discuss these things with. Given that this advisory is incorrect, I'd prefer to get that corrected to help not just myself but the ecosystem as a whole since that's really the issue here anyway. |
@G-Rath Thanks for opening the Pull Request. I didn't know of the repository. Let's continue the discussion on that PR. |
Thanks @G-Rath & @ybiquitous I think we've all learnt a few things following this discussion, albeit retroactively |
stylelint-config-recommended update/releasestylelint-config-standard update/releaseFor #7043.
Let's add a manual entry to the changelog for #5042 to https://github.com/stylelint/stylelint/pull/7048/files just before we merge:
I'm out for the rest of the day, but if anyone fancies releasing... go for it!
The text was updated successfully, but these errors were encountered: