🚨 [security] Update stylelint 15.2.0 → 15.10.1 (minor)

[depfu[bot]]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ stylelint (15.2.0 → 15.10.1) · Repo · Changelog

Security Advisories 🚨

🚨 Stylelint has vulnerability in semver dependency

Summary

Our meow dependency (which we use for our CLI) depended on semver@5.7.1 . A vulnerability in this version of semver was recently identified and surfaced by npm audit:

Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw

Details

Original post by the reporter:

"my npm audit show the report

semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available

And my dependencies tree for semver show your package

├─┬ stylelint@15.9.0
│ └─┬ meow@9.0.0
│ └─┬ read-pkg-up@7.0.1
│ └─┬ read-pkg@5.2.0
│ └─┬ normalize-package-data@2.5.0
│ └── semver@5.7.1 deduped

I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."

Update your package to use the 'meow' version >=10"

PoC

N/A

Impact

We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.

Release Notes

15.10.1

• Security: fix for semver vulnerability (#7043) (@romainmenke).
• Fixed: invalid option regression on Windows 10 (#7043) (@romainmenke).

15.10.0

• Added: media-query-no-invalid (#6963) (@romainmenke).
• Added: support for JS objects with extends config option (#6998) (@fpetrakov).
• Fixed: inconsistent errored properties in stylelint.lint() return value (#6983) (@ybiquitous).
• Fixed: {selector,value}-no-vendor-prefix performance (#7016) (@jeddy3).
• Fixed: custom-property-pattern performance (#7009) (@jeddy3).
• Fixed: function-linear-gradient-no-nonstandard-direction false positives for <color-interpolation-method> (#6987) (@romainmenke).
• Fixed: function-name-case performance (#7010) (@jeddy3).
• Fixed: function-no-unknown performance (#7004) (@jeddy3).
• Fixed: function-url-quotes performance (#7011) (@jeddy3).
• Fixed: hue-degree-notation false negatives for oklch (#7015) (@romainmenke).
• Fixed: hue-degree-notation performance (#7012) (@jeddy3).
• Fixed: media-feature-name-no-unknown false positives for environment-blending, nav-controls, prefers-reduced-data, and video-color-gamut (#6978) (@romainmenke).
• Fixed: media-feature-name-no-vendor-prefix positions for *-device-pixel-ratio (#6977) (@romainmenke).
• Fixed: no-descending-specificity performance (#7026) (@romainmenke).
• Fixed: no-duplicate-at-import-rules false negatives for imports with supports and layer conditions (#7001) (@romainmenke).
• Fixed: selector-anb-no-unmatchable performance (#7042) (@romainmenke).
• Fixed: selector-id-pattern performance (#7013) (@jeddy3).
• Fixed: selector-pseudo-class-no-unknown false negatives for pseudo-elements with matching names (#6964) (@Mouvedia).
• Fixed: selector-pseudo-element-no-unknown performance (#7007) (@jeddy3).
• Fixed: selector-type-case performance (#7041) (@romainmenke).
• Fixed: selector-type-no-unknown performance (#7027) (@romainmenke).
• Fixed: unit-disallowed-list false negatives with percentages (#7018) (@romainmenke).

15.9.0

• Added: insideFunctions: {"function": int} to number-max-precision (#6932) (@romainmenke).
• Fixed: declaration-block-no-redundant-longhand-properties autofix for border-radius shorthand (#6958) (@mattxwang).
• Fixed: declaration-block-no-redundant-longhand-properties autofix for border-width shorthand (#6956) (@mattxwang).
• Fixed: declaration-block-no-redundant-longhand-properties autofix for grid-column and grid-row (#6957) (@mattxwang).

15.8.0

• Added: media-feature-name-value-no-unknown (#6906) (@romainmenke).
• Added: support for .mjs configuration files (#6910) (@ybiquitous).
• Fixed: --print-config description in CLI help (#6914) (@ybiquitous).
• Fixed: allowEmptyInput option in configuration files (#6929) (@ybiquitous).
• Fixed: custom-property-no-missing-var-function performance (#6922) (@romainmenke).
• Fixed: function-calc-no-unspaced-operator performance (#6923) (@romainmenke).
• Fixed: function-linear-gradient-no-nonstandard-direction performance (#6924) (@romainmenke).
• Fixed: function-no-unknown false positives for SCSS functions with namespace (#6921) (@romainmenke).
• Fixed: max-nesting-depth error for at-rules in Sass syntax (#6909) (@ybiquitous).
• Fixed: selector-anb-no-unmatchable performance (#6925) (@romainmenke).
• Fixed: remove v8-compile-cache dependency (#6907) (@ybiquitous).

15.7.0

• Added: splitList: boolean to selector-nested-pattern (#6896) (@is2ei).
• Fixed: unit-no-unknown false positives for unicode-range descriptors (#6892) (@romainmenke).
• Fixed: segmentation fault errors for Cosmiconfig 8.2 (#6902) (@romainmenke).

15.6.3

• Fixed: alpha-value-notation false positives for color() (#6885) (@romainmenke).
• Fixed: alpha-value-notation performance with improved benchmark script (#6864) (@romainmenke).
• Fixed: at-rule-property-required-list performance (#6865) (@romainmenke).
• Fixed: color-* performance (#6868) (@romainmenke).
• Fixed: length-zero-no-unit false positives on new math functions (#6871) (@romainmenke).
• Fixed: string formatter for unexpected truncation on non-ASCII characters (#6861) (@Max10240).
• Fixed: unit-no-unknown false positives for the second and subsequent image-set() with x descriptor (#6879) (@romainmenke).

15.6.2

• Fixed: alpha-value-notation false negatives for oklab(), oklch(), and color() (#6844) (@romainmenke).
• Fixed: declaration-block-no-redundant-longhand-properties autofix with cubic-bezier() (#6841) (@romainmenke).
• Fixed: function-no-unknown false positives for unspaced operators against nested brackets (#6842) (@romainmenke).
• Fixed: function-url-quotes false positives for SCSS with() construct (#6847) (@ybiquitous).
• Fixed: media-feature-name-no-unknown false positives for not and or (#6838) (@romainmenke).

15.6.1

• Fixed: declaration-block-no-redundant-longhand-properties autofix for transition (#6815) (@mattxwang).
• Fixed: github formatter for missing final newline (#6822) (@konomae).
• Fixed: selector-pseudo-class-no-unknown false positive for :modal (#6811) (@Yasir761).

15.6.0

• Added: allowEmptyInput, cache, fix options to configuration object (#6778) (@mattxwang).
• Added: ignore: ["with-var-inside"] to color-function-notation (#6802) (@mattxwang).
• Fixed: declaration-block-no-duplicate-properties autofix for 3 or more duplicates (#6801) (@mattxwang).
• Fixed: declaration-block-no-duplicate-properties false positives with option ignore: ["consecutive-duplicates-with-different-syntaxes"] (#6797) (@romainmenke).
• Fixed: declaration-block-no-duplicate-properties syntax error (#6792) (@yoyo837).
• Fixed: declaration-block-no-redundant-longhand-properties autofix for grid-template (#6777) (@mattxwang).
• Fixed: function-url-quotes autofix for comments in SCSS function (#6800) (@ybiquitous).

15.5.0

• Added: ignore: ["consecutive-duplicates-with-different-syntaxes"] to declaration-block-no-duplicate-properties (#6772) (@kimulaco).
• Added: ignoreProperties: [] to declaration-block-no-duplicate-custom-properties (#6773) (@mattxwang).
• Added: raw regex support to ignoreProperties for declaration-block-no-duplicate-properties (#6764) (@ybiquitous).
• Fixed: block-no-empty false positives with non-whitespace characters (#6782) (@ybiquitous).
• Fixed: color-function-notation false positives for namespaced imports (#6774) (@mattxwang).
• Fixed: custom-property-empty-line-before false positives for CSS-in-JS (#6767) (@ybiquitous).
• Fixed: media-feature-range-notation parse error (#6760) (@fpetrakov).
• Fixed: CLI help improvements (#6783) (@ybiquitous).

15.4.0

• Added: --quiet-deprecation-warnings flag (#6724) (@mattxwang).
• Added: -c alias for --config (#6720) (@sidverma32).
• Added: media-feature-range-notation autofix (#6742) (@romainmenke).
• Added: no-unknown-custom-properties rule (#6731) (@jameschensmith).
• Fixed: function-url-quotes autofix for double-slash comments in SCSS maps (#6745) (@jgerigmeyer).
• Fixed: isPathIgnored() utility's performance (#6728) (@ybiquitous).
• Fixed: rule-selector-property-disallowed-list secondary options (#6723) (@mattxwang).
• Fixed: declaration-block-no-redundant-longhand-properties with basic keywords (#6748) (@mattxwang).
• Fixed: deprecation warnings for disabled rules (#6747) (@ybiquitous).

15.3.0

• Added: configurationComment configuration property (#6629) (@ifitzpatrick).
• Added: selector-anb-no-unmatchable rule (#6678) (@mattxwang).
• Fixed: TypeScript error for CommonJS importing (#6703) (@remcohaszing).
• Fixed: *-no-redundant-* false negatives for inset shorthand (#6699) (@rayrw).
• Fixed: function-url-quotes autofix for multiple url() (#6711) (@ybiquitous).
• Fixed: value-keyword-case false positives for Level 4 system colours (#6712) (@thewilkybarkid).

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu[bot]]

Closing because this update has already been applied