Our meow dependency (which we use for our CLI) depended on semver@5.7.1. A vulnerability in this version of semver was recently identified and surfaced by npm audit:
I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."
Update your package to use the 'meow' version >=10"
PoC
N/A
Impact
We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.
⬇️ EDITED AFTER PUBLISHED ⬇️
Security fix backported to older semver versions
The same security fix has been backported to older semver versions of 5.x and 6.x. See the CVE-2022-25883 details.
So, you can fix this vulnerability by just updating semver in your project's dependency tree, instead of updating stylelint. For details, see the example:
package.json:
{
"dependencies": {
"stylelint": "15.10.0"
}
}
Run npm audit (here is no alert for semver):
$ npm ci
...
$ npm audit
...
stylelint 8.0.0 - 15.10.0
Stylelint has vulnerability in semver dependency - https://github.com/advisories/GHSA-f7xj-rg7h-mc87
fix available via `npm audit fix --force`
Will install stylelint@15.10.1, which is outside the stated dependency range
node_modules/stylelint
1 low severity vulnerability
...
$ npm ls semver
...
└─┬ stylelint@15.10.0
└─┬ meow@9.0.0
├─┬ normalize-package-data@3.0.3
│ └── semver@7.5.4
└─┬ read-pkg-up@7.0.1
└─┬ read-pkg@5.2.0
└─┬ normalize-package-data@2.5.0
└── semver@5.7.2
Release Notes
stylelint/stylelint (stylelint)
### [`v15.10.1`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15101)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.10.0...15.10.1)
- Security: fix for `semver` vulnerability ([#7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: invalid option regression on Windows 10 ([#7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@romainmenke](https://togithub.com/romainmenke)).
### [`v15.10.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15100)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.9.0...15.10.0)
- Added: `media-query-no-invalid` ([#6963](https://togithub.com/stylelint/stylelint/pull/6963)) ([@romainmenke](https://togithub.com/romainmenke)).
- Added: support for JS objects with `extends` config option ([#6998](https://togithub.com/stylelint/stylelint/pull/6998)) ([@fpetrakov](https://togithub.com/fpetrakov)).
- Fixed: inconsistent `errored` properties in `stylelint.lint()` return value ([#6983](https://togithub.com/stylelint/stylelint/pull/6983)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `{selector,value}-no-vendor-prefix` performance ([#7016](https://togithub.com/stylelint/stylelint/pull/7016)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `custom-property-pattern` performance ([#7009](https://togithub.com/stylelint/stylelint/pull/7009)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `function-linear-gradient-no-nonstandard-direction` false positives for `` ([#6987](https://togithub.com/stylelint/stylelint/pull/6987)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-name-case` performance ([#7010](https://togithub.com/stylelint/stylelint/pull/7010)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `function-no-unknown` performance ([#7004](https://togithub.com/stylelint/stylelint/pull/7004)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `function-url-quotes` performance ([#7011](https://togithub.com/stylelint/stylelint/pull/7011)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `hue-degree-notation` false negatives for `oklch` ([#7015](https://togithub.com/stylelint/stylelint/pull/7015)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `hue-degree-notation` performance ([#7012](https://togithub.com/stylelint/stylelint/pull/7012)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `media-feature-name-no-unknown` false positives for `environment-blending`, `nav-controls`, `prefers-reduced-data`, and `video-color-gamut` ([#6978](https://togithub.com/stylelint/stylelint/pull/6978)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `media-feature-name-no-vendor-prefix` positions for `*-device-pixel-ratio` ([#6977](https://togithub.com/stylelint/stylelint/pull/6977)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `no-descending-specificity` performance ([#7026](https://togithub.com/stylelint/stylelint/pull/7026)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `no-duplicate-at-import-rules` false negatives for imports with `supports` and `layer` conditions ([#7001](https://togithub.com/stylelint/stylelint/pull/7001)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `selector-anb-no-unmatchable` performance ([#7042](https://togithub.com/stylelint/stylelint/pull/7042)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `selector-id-pattern` performance ([#7013](https://togithub.com/stylelint/stylelint/pull/7013)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `selector-pseudo-class-no-unknown` false negatives for pseudo-elements with matching names ([#6964](https://togithub.com/stylelint/stylelint/pull/6964)) ([@Mouvedia](https://togithub.com/Mouvedia)).
- Fixed: `selector-pseudo-element-no-unknown` performance ([#7007](https://togithub.com/stylelint/stylelint/pull/7007)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `selector-type-case` performance ([#7041](https://togithub.com/stylelint/stylelint/pull/7041)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `selector-type-no-unknown` performance ([#7027](https://togithub.com/stylelint/stylelint/pull/7027)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `unit-disallowed-list` false negatives with percentages ([#7018](https://togithub.com/stylelint/stylelint/pull/7018)) ([@romainmenke](https://togithub.com/romainmenke)).
### [`v15.9.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1590)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.8.0...15.9.0)
- Added: `insideFunctions: {"function": int}` to `number-max-precision` ([#6932](https://togithub.com/stylelint/stylelint/pull/6932)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `border-radius` shorthand ([#6958](https://togithub.com/stylelint/stylelint/pull/6958)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `border-width` shorthand ([#6956](https://togithub.com/stylelint/stylelint/pull/6956)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `grid-column` and `grid-row` ([#6957](https://togithub.com/stylelint/stylelint/pull/6957)) ([@mattxwang](https://togithub.com/mattxwang)).
### [`v15.8.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1580)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.7.0...15.8.0)
- Added: `media-feature-name-value-no-unknown` ([#6906](https://togithub.com/stylelint/stylelint/pull/6906)) ([@romainmenke](https://togithub.com/romainmenke)).
- Added: support for `.mjs` configuration files ([#6910](https://togithub.com/stylelint/stylelint/pull/6910)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `--print-config` description in CLI help ([#6914](https://togithub.com/stylelint/stylelint/pull/6914)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `allowEmptyInput` option in configuration files ([#6929](https://togithub.com/stylelint/stylelint/pull/6929)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `custom-property-no-missing-var-function` performance ([#6922](https://togithub.com/stylelint/stylelint/pull/6922)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-calc-no-unspaced-operator` performance ([#6923](https://togithub.com/stylelint/stylelint/pull/6923)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-linear-gradient-no-nonstandard-direction` performance ([#6924](https://togithub.com/stylelint/stylelint/pull/6924)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-no-unknown` false positives for SCSS functions with namespace ([#6921](https://togithub.com/stylelint/stylelint/pull/6921)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `max-nesting-depth` error for at-rules in Sass syntax ([#6909](https://togithub.com/stylelint/stylelint/pull/6909)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `selector-anb-no-unmatchable` performance ([#6925](https://togithub.com/stylelint/stylelint/pull/6925)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: remove `v8-compile-cache` dependency ([#6907](https://togithub.com/stylelint/stylelint/pull/6907)) ([@ybiquitous](https://togithub.com/ybiquitous)).
### [`v15.7.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1570)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.3...15.7.0)
- Added: `splitList: boolean` to `selector-nested-pattern` ([#6896](https://togithub.com/stylelint/stylelint/pull/6896)) ([@is2ei](https://togithub.com/is2ei)).
- Fixed: `unit-no-unknown` false positives for `unicode-range` descriptors ([#6892](https://togithub.com/stylelint/stylelint/pull/6892)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: segmentation fault errors for Cosmiconfig 8.2 ([#6902](https://togithub.com/stylelint/stylelint/pull/6902)) ([@romainmenke](https://togithub.com/romainmenke)).
### [`v15.6.3`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1563)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.2...15.6.3)
- Fixed: `alpha-value-notation` false positives for `color()` ([#6885](https://togithub.com/stylelint/stylelint/pull/6885)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `alpha-value-notation` performance with improved benchmark script ([#6864](https://togithub.com/stylelint/stylelint/pull/6864)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `at-rule-property-required-list` performance ([#6865](https://togithub.com/stylelint/stylelint/pull/6865)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `color-*` performance ([#6868](https://togithub.com/stylelint/stylelint/pull/6868)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `length-zero-no-unit` false positives on new math functions ([#6871](https://togithub.com/stylelint/stylelint/pull/6871)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `string` formatter for unexpected truncation on non-ASCII characters ([#6861](https://togithub.com/stylelint/stylelint/pull/6861)) ([@Max10240](https://togithub.com/Max10240)).
- Fixed: `unit-no-unknown` false positives for the second and subsequent `image-set()` with `x` descriptor ([#6879](https://togithub.com/stylelint/stylelint/pull/6879)) ([@romainmenke](https://togithub.com/romainmenke)).
### [`v15.6.2`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1562)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.1...15.6.2)
- Fixed: `alpha-value-notation` false negatives for `oklab()`, `oklch()`, and `color()` ([#6844](https://togithub.com/stylelint/stylelint/pull/6844)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix with `cubic-bezier()` ([#6841](https://togithub.com/stylelint/stylelint/pull/6841)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-no-unknown` false positives for unspaced operators against nested brackets ([#6842](https://togithub.com/stylelint/stylelint/pull/6842)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-url-quotes` false positives for SCSS `with()` construct ([#6847](https://togithub.com/stylelint/stylelint/pull/6847)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `media-feature-name-no-unknown` false positives for `not` and `or` ([#6838](https://togithub.com/stylelint/stylelint/pull/6838)) ([@romainmenke](https://togithub.com/romainmenke)).
### [`v15.6.1`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1561)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.0...15.6.1)
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `transition` ([#6815](https://togithub.com/stylelint/stylelint/pull/6815)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `github` formatter for missing final newline ([#6822](https://togithub.com/stylelint/stylelint/pull/6822)) ([@konomae](https://togithub.com/konomae)).
- Fixed: `selector-pseudo-class-no-unknown` false positive for `:modal` ([#6811](https://togithub.com/stylelint/stylelint/pull/6811)) ([@Yasir761](https://togithub.com/Yasir761)).
### [`v15.6.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1560)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.5.0...15.6.0)
- Added: `allowEmptyInput`, `cache`, `fix` options to configuration object ([#6778](https://togithub.com/stylelint/stylelint/pull/6778)) ([@mattxwang](https://togithub.com/mattxwang)).
- Added: `ignore: ["with-var-inside"]` to `color-function-notation` ([#6802](https://togithub.com/stylelint/stylelint/pull/6802)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `declaration-block-no-duplicate-properties` autofix for 3 or more duplicates ([#6801](https://togithub.com/stylelint/stylelint/pull/6801)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `declaration-block-no-duplicate-properties` false positives with option `ignore: ["consecutive-duplicates-with-different-syntaxes"]` ([#6797](https://togithub.com/stylelint/stylelint/pull/6797)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `declaration-block-no-duplicate-properties` syntax error ([#6792](https://togithub.com/stylelint/stylelint/pull/6792)) ([@yoyo837](https://togithub.com/yoyo837)).
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `grid-template` ([#6777](https://togithub.com/stylelint/stylelint/pull/6777)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `function-url-quotes` autofix for comments in SCSS function ([#6800](https://togithub.com/stylelint/stylelint/pull/6800)) ([@ybiquitous](https://togithub.com/ybiquitous)).
### [`v15.5.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1550)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.4.0...15.5.0)
- Added: `ignore: ["consecutive-duplicates-with-different-syntaxes"]` to `declaration-block-no-duplicate-properties` ([#6772](https://togithub.com/stylelint/stylelint/pull/6772)) ([@kimulaco](https://togithub.com/kimulaco)).
- Added: `ignoreProperties: []` to `declaration-block-no-duplicate-custom-properties` ([#6773](https://togithub.com/stylelint/stylelint/pull/6773)) ([@mattxwang](https://togithub.com/mattxwang)).
- Added: raw regex support to `ignoreProperties` for `declaration-block-no-duplicate-properties` ([#6764](https://togithub.com/stylelint/stylelint/pull/6764)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `block-no-empty` false positives with non-whitespace characters ([#6782](https://togithub.com/stylelint/stylelint/pull/6782)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `color-function-notation` false positives for namespaced imports ([#6774](https://togithub.com/stylelint/stylelint/pull/6774)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `custom-property-empty-line-before` false positives for CSS-in-JS ([#6767](https://togithub.com/stylelint/stylelint/pull/6767)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `media-feature-range-notation` parse error ([#6760](https://togithub.com/stylelint/stylelint/pull/6760)) ([@fpetrakov](https://togithub.com/fpetrakov)).
- Fixed: CLI help improvements ([#6783](https://togithub.com/stylelint/stylelint/pull/6783)) ([@ybiquitous](https://togithub.com/ybiquitous)).
### [`v15.4.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1540)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.3.0...15.4.0)
- Added: `--quiet-deprecation-warnings` flag ([#6724](https://togithub.com/stylelint/stylelint/pull/6724)) ([@mattxwang](https://togithub.com/mattxwang)).
- Added: `-c` alias for `--config` ([#6720](https://togithub.com/stylelint/stylelint/pull/6720)) ([@sidverma32](https://togithub.com/sidverma32)).
- Added: `media-feature-range-notation` autofix ([#6742](https://togithub.com/stylelint/stylelint/pull/6742)) ([@romainmenke](https://togithub.com/romainmenke)).
- Added: `no-unknown-custom-properties` rule ([#6731](https://togithub.com/stylelint/stylelint/pull/6731)) ([@jameschensmith](https://togithub.com/jameschensmith)).
- Fixed: `function-url-quotes` autofix for double-slash comments in SCSS maps ([#6745](https://togithub.com/stylelint/stylelint/pull/6745)) ([@jgerigmeyer](https://togithub.com/jgerigmeyer)).
- Fixed: `isPathIgnored()` utility's performance ([#6728](https://togithub.com/stylelint/stylelint/pull/6728)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `rule-selector-property-disallowed-list` secondary options ([#6723](https://togithub.com/stylelint/stylelint/pull/6723)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `declaration-block-no-redundant-longhand-properties` with basic keywords ([#6748](https://togithub.com/stylelint/stylelint/pull/6748)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: deprecation warnings for disabled rules ([#6747](https://togithub.com/stylelint/stylelint/pull/6747)) ([@ybiquitous](https://togithub.com/ybiquitous)).
### [`v15.3.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1530)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.2.0...15.3.0)
- Added: `configurationComment` configuration property ([#6629](https://togithub.com/stylelint/stylelint/pull/6629)) ([@ifitzpatrick](https://togithub.com/ifitzpatrick)).
- Added: `selector-anb-no-unmatchable` rule ([#6678](https://togithub.com/stylelint/stylelint/pull/6678)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: TypeScript error for CommonJS importing ([#6703](https://togithub.com/stylelint/stylelint/pull/6703)) ([@remcohaszing](https://togithub.com/remcohaszing)).
- Fixed: `*-no-redundant-*` false negatives for `inset` shorthand ([#6699](https://togithub.com/stylelint/stylelint/pull/6699)) ([@rayrw](https://togithub.com/rayrw)).
- Fixed: `function-url-quotes` autofix for multiple `url()` ([#6711](https://togithub.com/stylelint/stylelint/pull/6711)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `value-keyword-case` false positives for Level 4 system colours ([#6712](https://togithub.com/stylelint/stylelint/pull/6712)) ([@thewilkybarkid](https://togithub.com/thewilkybarkid)).
### [`v15.2.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1520)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.1.0...15.2.0)
- Added: `messageArgs` to 76 rules ([#6589](https://togithub.com/stylelint/stylelint/pull/6589)) ([@kizu](https://togithub.com/kizu)).
- Fixed: TypeScript error to export `Plugin` and `RuleContext` ([#6664](https://togithub.com/stylelint/stylelint/pull/6664)) ([@henryruhs](https://togithub.com/henryruhs)).
- Fixed: `overrides.extends` order when including same rules ([#6660](https://togithub.com/stylelint/stylelint/pull/6660)) ([@kuoruan](https://togithub.com/kuoruan)).
- Fixed: `annotation-no-unknown` false positives for CSS-in-JS template literals ([#6666](https://togithub.com/stylelint/stylelint/pull/6666)) ([@hudochenkov](https://togithub.com/hudochenkov)).
- Fixed: `declaration-property-value-no-unknown` false positives for at-rule descriptors ([#6669](https://togithub.com/stylelint/stylelint/pull/6669)) ([@FloEdelmann](https://togithub.com/FloEdelmann)).
- Fixed: `declaration-property-value-no-unknown` parse error for `alpha(opacity=n)` to report as violation ([#6650](https://togithub.com/stylelint/stylelint/pull/6650)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-name-case` false positives for CSS-in-JS template literals ([#6666](https://togithub.com/stylelint/stylelint/pull/6666)) ([@hudochenkov](https://togithub.com/hudochenkov)).
- Fixed: `function-no-unknown` false positives for CSS-in-JS template literals ([#6666](https://togithub.com/stylelint/stylelint/pull/6666)) ([@hudochenkov](https://togithub.com/hudochenkov)).
- Fixed: `unit-no-unknown` false positives for CSS-in-JS template literals ([#6666](https://togithub.com/stylelint/stylelint/pull/6666)) ([@hudochenkov](https://togithub.com/hudochenkov)).
- Fixed: `value-keyword-case` false positives for CSS-in-JS template literals ([#6666](https://togithub.com/stylelint/stylelint/pull/6666)) ([@hudochenkov](https://togithub.com/hudochenkov)).
### [`v15.1.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1510)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.0.0...15.1.0)
- Added: `declaration-block-no-redundant-longhand-properties` autofix ([#6580](https://togithub.com/stylelint/stylelint/pull/6580)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `declaration-property-value-no-unknown` false positives for `env()` ([#6646](https://togithub.com/stylelint/stylelint/pull/6646)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-calc-no-unspaced-operator` TypeError on empty `calc()` ([#6634](https://togithub.com/stylelint/stylelint/pull/6634)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: inaccurate `customSyntax` inference ([#6645](https://togithub.com/stylelint/stylelint/pull/6645)) ([@ybiquitous](https://togithub.com/ybiquitous)).
### [`v15.0.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1500)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/14.16.1...15.0.0)
[Migrating to `15.0.0` guide](docs/migration-guide/to-15.md).
- Removed: Node.js 12 support ([#6477](https://togithub.com/stylelint/stylelint/pull/6477)) ([@ybiquitous](https://togithub.com/ybiquitous)). (BREAKING)
- Removed: support for processors ([#6479](https://togithub.com/stylelint/stylelint/pull/6479)) ([@ybiquitous](https://togithub.com/ybiquitous)). (BREAKING)
- Removed: `syntax` option ([#6420](https://togithub.com/stylelint/stylelint/pull/6420)) ([@fpetrakov](https://togithub.com/fpetrakov)). (BREAKING)
- Changed: `extends` in `overrides` to merge to be consistent with `plugins` behaviour ([#6380](https://togithub.com/stylelint/stylelint/pull/6380)) ([@jasikpark](https://togithub.com/jasikpark)). (BREAKING)
- Changed: type definitions to reorganize ([#6510](https://togithub.com/stylelint/stylelint/pull/6510)) ([@ybiquitous](https://togithub.com/ybiquitous)). (BREAKING)
- Changed: type names to be more consistent ([#6503](https://togithub.com/stylelint/stylelint/pull/6503)) ([@ybiquitous](https://togithub.com/ybiquitous)). (BREAKING)
- Deprecated: stylistic rules handled by Prettier ([#6504](https://togithub.com/stylelint/stylelint/pull/6504)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Added: `declaration-property-value-no-unknown` rule ([#6511](https://togithub.com/stylelint/stylelint/pull/6511)) ([@jeddy3](https://togithub.com/jeddy3)).
- Added: `media-feature-name-unit-allowed-list` rule ([#6550](https://togithub.com/stylelint/stylelint/pull/6550)) ([@mattxwang](https://togithub.com/mattxwang)).
- Added: `function-url-quotes` autofix ([#6558](https://togithub.com/stylelint/stylelint/pull/6558)) ([@mattxwang](https://togithub.com/mattxwang)).
- Added: `ignore: ["custom-elements"]` to `selector-max-type` ([#6588](https://togithub.com/stylelint/stylelint/pull/6588)) ([@muddv](https://togithub.com/muddv)).
- Added: `ignoreFunctions: []` to `unit-disallowed-list` ([#6592](https://togithub.com/stylelint/stylelint/pull/6592)) ([@mattxwang](https://togithub.com/mattxwang)).
- Added: deprecated rule warnings ([#6561](https://togithub.com/stylelint/stylelint/pull/6561)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Added: message arguments to `declaration-property-unit-allowed-list` ([#6570](https://togithub.com/stylelint/stylelint/pull/6570)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `overrides.files` in config to allow basename glob patterns ([#6547](https://togithub.com/stylelint/stylelint/pull/6547)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `at-rule-no-unknown` false positives for `@scroll-timeline` ([#6554](https://togithub.com/stylelint/stylelint/pull/6554)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `function-no-unknown` false positives for interpolation and backticks in CSS-in-JS ([#6565](https://togithub.com/stylelint/stylelint/pull/6565)) ([@hudochenkov](https://togithub.com/hudochenkov)).
- Fixed: `keyframe-selector-notation` false positives for named timeline ranges ([#6605](https://togithub.com/stylelint/stylelint/pull/6605)) ([@kimulaco](https://togithub.com/kimulaco)).
- Fixed: `property-no-unknown` false negatives for newer custom syntaxes ([#6553](https://togithub.com/stylelint/stylelint/pull/6553)) ([@43081j](https://togithub.com/43081j)).
- Fixed: `selector-attribute-quotes` false positives for "never" ([#6571](https://togithub.com/stylelint/stylelint/pull/6571)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `selector-not-notation` autofix for "simple" option ([#6608](https://togithub.com/stylelint/stylelint/pull/6608)) ([@Mouvedia](https://togithub.com/Mouvedia)).
### [`v14.16.1`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#14161)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/14.16.0...14.16.1)
- Fixed: `customSyntax` resolution with `configBasedir` ([#6536](https://togithub.com/stylelint/stylelint/pull/6536)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `declaration-block-no-duplicate-properties` autofix for `!important` ([#6528](https://togithub.com/stylelint/stylelint/pull/6528)) ([@sidx1024](https://togithub.com/sidx1024)).
- Fixed: `function-no-unknown` false positives for `scroll`, `-webkit-gradient`, `color-stop`, `from`, and `to` ([#6539](https://togithub.com/stylelint/stylelint/pull/6539)) ([@Mouvedia](https://togithub.com/Mouvedia)).
- Fixed: `value-keyword-case` false positives for mixed case `ignoreFunctions` option ([#6517](https://togithub.com/stylelint/stylelint/pull/6517)) ([@kimulaco](https://togithub.com/kimulaco)).
- Fixed: unexpected `output` in Node.js API lint result when any rule contains `disableFix: true` ([#6543](https://togithub.com/stylelint/stylelint/pull/6543)) ([@adrianjost](https://togithub.com/adrianjost)).
### [`v14.16.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#14160)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/14.15.0...14.16.0)
- Added: `media-feature-range-notation` rule ([#6497](https://togithub.com/stylelint/stylelint/pull/6497)) ([@jeddy3](https://togithub.com/jeddy3)).
- Added: support for plugin objects as config values ([#6481](https://togithub.com/stylelint/stylelint/pull/6481)) ([@phoenisx](https://togithub.com/phoenisx)).
- Fixed: incorrect output by all formatters except for `json` ([#6480](https://togithub.com/stylelint/stylelint/pull/6480)) ([@ybiquitous](https://togithub.com/ybiquitous)).
### [`v14.15.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#14150)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/14.14.1...14.15.0)
- Added: `--globby-options` flag ([#6437](https://togithub.com/stylelint/stylelint/pull/6437)) ([@sidverma32](https://togithub.com/sidverma32)).
- Added: custom message formatting for `at-rule-disallowed-list`, `declaration-property-unit-disallowed-list`, `declaration-property-value-disallowed-list`, `function-disallowed-list`, and `property-disallowed-list` ([#6463](https://togithub.com/stylelint/stylelint/pull/6463)) ([@chloerice](https://togithub.com/chloerice)).
- Added: support autofix with `checkAgainstRule` ([#6466](https://togithub.com/stylelint/stylelint/pull/6466)) ([@aaronccasanova](https://togithub.com/aaronccasanova)).
- Added: support for reporting with custom severity ([#6444](https://togithub.com/stylelint/stylelint/pull/6444)) ([@aaronccasanova](https://togithub.com/aaronccasanova)).
- Added: support to `checkAgainstRule` with custom rules ([#6460](https://togithub.com/stylelint/stylelint/pull/6460)) ([@aaronccasanova](https://togithub.com/aaronccasanova)).
- Fixed: tally output of `string` formatter colorized ([#6443](https://togithub.com/stylelint/stylelint/pull/6443)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: usage of the `import-lazy` package to fit bundlers ([#6449](https://togithub.com/stylelint/stylelint/pull/6449)) ([@phoenisx](https://togithub.com/phoenisx)).
### [`v14.14.1`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#14141)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/14.14.0...14.14.1)
- Fixed: `declaration-block-no-redundant-longhand-properties` false positives for `inherit` keyword ([#6419](https://togithub.com/stylelint/stylelint/pull/6419)) ([@kimulaco](https://togithub.com/kimulaco)).
- Fixed: `shorthand-property-no-redundant-values` message to be consistent ([#6417](https://togithub.com/stylelint/stylelint/pull/6417)) ([@fpetrakov](https://togithub.com/fpetrakov)).
- Fixed: `unit-no-unknown` false positives for `*vi` & `*vb` viewport units ([#6428](https://togithub.com/stylelint/stylelint/pull/6428)) ([@sidverma32](https://togithub.com/sidverma32)).
### [`v14.14.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#14140)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/14.13.0...14.14.0)
- Added: `*-pattern` custom message formatting ([#6391](https://togithub.com/stylelint/stylelint/pull/6391)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `block-no-empty` false positives for `reportNeedlessDisables` ([#6381](https://togithub.com/stylelint/stylelint/pull/6381)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `printf`-like formatting for custom messages ([#6389](https://togithub.com/stylelint/stylelint/pull/6389)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `unit-no-unknown` false positives for font-relative length units ([#6374](https://togithub.com/stylelint/stylelint/pull/6374)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: false negatives on second run for cache and `severity` option ([#6384](https://togithub.com/stylelint/stylelint/pull/6384)) ([@kimulaco](https://togithub.com/kimulaco)).
- Fixed: TS compilation error due to needless `file-entry-cache` import ([#6393](https://togithub.com/stylelint/stylelint/pull/6393)) ([@adidahiya](https://togithub.com/adidahiya)).
### [`v14.13.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#14130)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/14.12.1...14.13.0)
- Added: `cacheStrategy` option ([#6357](https://togithub.com/stylelint/stylelint/pull/6357)) ([@kaorun343](https://togithub.com/kaorun343)).
- Fixed: cache refresh when config is changed ([#6356](https://togithub.com/stylelint/stylelint/pull/6356)) ([@kimulaco](https://togithub.com/kimulaco)).
- Fixed: `selector-pseudo-element-no-unknown` false positives for `::highlight` pseudo-element ([#6367](https://togithub.com/stylelint/stylelint/pull/6367)) ([@jathak](https://togithub.com/jathak)).
### [`v14.12.1`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#14121)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/14.12.0...14.12.1)
- Fixed: `font-weight-notation` messages ([#6350](https://togithub.com/stylelint/stylelint/pull/6350)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: type declarations for custom message arguments ([#6354](https://togithub.com/stylelint/stylelint/pull/6354)) ([@stof](https://togithub.com/stof)).
### [`v14.12.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#14120)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/14.11.0...14.12.0)
- Added: support for multiple `--ignore-path` flags ([#6345](https://togithub.com/stylelint/stylelint/pull/6345)) ([@kimulaco](https://togithub.com/kimulaco)).
- Added: experimental support for custom message arguments ([#6312](https://togithub.com/stylelint/stylelint/pull/6312)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Added: `declaration-block-no-duplicate-properties` autofix ([#6296](https://togithub.com/stylelint/stylelint/pull/6296)) ([@fpetrakov](https://togithub.com/fpetrakov)).
- Added: `font-weight-notation` autofix ([#6347](https://togithub.com/stylelint/stylelint/pull/6347)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Added: `ignore: ["inside-block"]` and `splitList` to `selector-disallowed-list` ([#6334](https://togithub.com/stylelint/stylelint/pull/6334)) ([@mattmanuel90](https://togithub.com/mattmanuel90)).
- Added: regex support for `ignorePseudoClasses` option of `selector-pseudo-class-no-unknown` ([#6316](https://togithub.com/stylelint/stylelint/pull/6316)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Added: regex support for `ignorePseudoElements` option of `selector-pseudo-element-no-unknown` ([#6317](https://togithub.com/stylelint/stylelint/pull/6317)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Added: regex support for `ignoreSelectors` option of `selector-no-vendor-prefix` ([#6327](https://togithub.com/stylelint/stylelint/pull/6327)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Added: regex support for `ignoreTypes` option of `selector-type-case` ([#6326](https://togithub.com/stylelint/stylelint/pull/6326)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `*-no-unknown` false positives for container queries ([#6318](https://togithub.com/stylelint/stylelint/pull/6318)) ([@fpetrakov](https://togithub.com/fpetrakov)).
- Fixed: `font-family-name-quotes` false positives for interpolation and shorthand ([#6335](https://togithub.com/stylelint/stylelint/pull/6335)) ([@kimulaco](https://togithub.com/kimulaco)).
- Fixed: `time-min-milliseconds` incorrect location for matching violating times ([#6319](https://togithub.com/stylelint/stylelint/pull/6319)) ([@kawaguchi1102](https://togithub.com/kawaguchi1102)).
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
^14.11.0
->^15.0.0
GitHub Vulnerability Alerts
GHSA-f7xj-rg7h-mc87
Summary
Our
meow
dependency (which we use for our CLI) depended onsemver@5.7.1
. A vulnerability in this version ofsemver
was recently identified and surfaced bynpm audit
:Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
Details
Original post by the reporter:
"my npm audit show the report
semver <7.5.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw No fix available
And my dependencies tree for semver show your package
├─┬ stylelint@15.9.0 │ └─┬ meow@9.0.0 │ └─┬ read-pkg-up@7.0.1 │ └─┬ read-pkg@5.2.0 │ └─┬ normalize-package-data@2.5.0 │ └── semver@5.7.1 deduped
I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."
Update your package to use the 'meow' version >=10"
PoC
N/A
Impact
We anticipate the impact to be low as Stylelint is a dev tool and
meow
is only used on the CLI pathway.⬇️ EDITED AFTER PUBLISHED ⬇️
Security fix backported to older
semver
versionsThe same security fix has been backported to older
semver
versions of 5.x and 6.x. See the CVE-2022-25883 details.So, you can fix this vulnerability by just updating
semver
in your project's dependency tree, instead of updatingstylelint
. For details, see the example:package.json
:Run
npm audit
(here is no alert forsemver
):Release Notes
stylelint/stylelint (stylelint)
### [`v15.10.1`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15101) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.10.0...15.10.1) - Security: fix for `semver` vulnerability ([#7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@romainmenke](https://togithub.com/romainmenke)). - Fixed: invalid option regression on Windows 10 ([#7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@romainmenke](https://togithub.com/romainmenke)). ### [`v15.10.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15100) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.9.0...15.10.0) - Added: `media-query-no-invalid` ([#6963](https://togithub.com/stylelint/stylelint/pull/6963)) ([@romainmenke](https://togithub.com/romainmenke)). - Added: support for JS objects with `extends` config option ([#6998](https://togithub.com/stylelint/stylelint/pull/6998)) ([@fpetrakov](https://togithub.com/fpetrakov)). - Fixed: inconsistent `errored` properties in `stylelint.lint()` return value ([#6983](https://togithub.com/stylelint/stylelint/pull/6983)) ([@ybiquitous](https://togithub.com/ybiquitous)). - Fixed: `{selector,value}-no-vendor-prefix` performance ([#7016](https://togithub.com/stylelint/stylelint/pull/7016)) ([@jeddy3](https://togithub.com/jeddy3)). - Fixed: `custom-property-pattern` performance ([#7009](https://togithub.com/stylelint/stylelint/pull/7009)) ([@jeddy3](https://togithub.com/jeddy3)). - Fixed: `function-linear-gradient-no-nonstandard-direction` false positives for `Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.