Our meow dependency (which we use for our CLI) depended on semver@5.7.1. A vulnerability in this version of semver was recently identified and surfaced by npm audit:
I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."
Update your package to use the 'meow' version >=10"
PoC
N/A
Impact
We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.
This PR contains the following updates:
15.9.0->15.10.1GitHub Vulnerability Alerts
GHSA-f7xj-rg7h-mc87
Summary
Our
meowdependency (which we use for our CLI) depended onsemver@5.7.1. A vulnerability in this version ofsemverwas recently identified and surfaced bynpm audit:Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
Details
Original post by the reporter:
"my npm audit show the report
semver <7.5.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw No fix available
And my dependencies tree for semver show your package
├─┬ stylelint@15.9.0 │ └─┬ meow@9.0.0 │ └─┬ read-pkg-up@7.0.1 │ └─┬ read-pkg@5.2.0 │ └─┬ normalize-package-data@2.5.0 │ └── semver@5.7.1 deduped
I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."
Update your package to use the 'meow' version >=10"
PoC
N/A
Impact
We anticipate the impact to be low as Stylelint is a dev tool and
meowis only used on the CLI pathway.Release Notes
stylelint/stylelint (stylelint)
### [`v15.10.1`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15101) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.10.0...15.10.1) - Security: fix for `semver` vulnerability ([#7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@romainmenke](https://togithub.com/romainmenke)). - Fixed: invalid option regression on Windows 10 ([#7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@romainmenke](https://togithub.com/romainmenke)). ### [`v15.10.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15100) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.9.0...15.10.0) - Added: `media-query-no-invalid` ([#6963](https://togithub.com/stylelint/stylelint/pull/6963)) ([@romainmenke](https://togithub.com/romainmenke)). - Added: support for JS objects with `extends` config option ([#6998](https://togithub.com/stylelint/stylelint/pull/6998)) ([@fpetrakov](https://togithub.com/fpetrakov)). - Fixed: inconsistent `errored` properties in `stylelint.lint()` return value ([#6983](https://togithub.com/stylelint/stylelint/pull/6983)) ([@ybiquitous](https://togithub.com/ybiquitous)). - Fixed: `{selector,value}-no-vendor-prefix` performance ([#7016](https://togithub.com/stylelint/stylelint/pull/7016)) ([@jeddy3](https://togithub.com/jeddy3)). - Fixed: `custom-property-pattern` performance ([#7009](https://togithub.com/stylelint/stylelint/pull/7009)) ([@jeddy3](https://togithub.com/jeddy3)). - Fixed: `function-linear-gradient-no-nonstandard-direction` false positives for `Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.