🚨 [security] Update stylelint 9.10.1 → 16.3.1 (major)

[depfu[bot]]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ stylelint (9.10.1 → 16.3.1) · Repo · Changelog

Security Advisories 🚨

🚨 Stylelint has vulnerability in semver dependency

Summary

Our meow dependency (which we use for our CLI) depended on semver@5.7.1 . A vulnerability in this version of semver was recently identified and surfaced by npm audit:

Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw

Details

Original post by the reporter:

"my npm audit show the report

semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available

And my dependencies tree for semver show your package

├─┬ stylelint@15.9.0
│ └─┬ meow@9.0.0
│ └─┬ read-pkg-up@7.0.1
│ └─┬ read-pkg@5.2.0
│ └─┬ normalize-package-data@2.5.0
│ └── semver@5.7.1 deduped

I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."

Update your package to use the 'meow' version >=10"

PoC

N/A

Impact

We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ html-tags (indirect, 2.0.0 → 3.3.1) · Repo

Release Notes

3.3.1

• Add search HTML element to type definitions (#12) 273706f

v3.3.0...v3.3.1

3.3.0

• Add search tag (#11) 213622b

v3.2.0...v3.3.0

3.2.0

• Add TypeScript types 3da3338 5eb6dbc

v3.1.0...v3.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

• 3.3.1
• Add search HTML element to type definitions (#12)
• 3.3.0
• Add `search` tag (#11)
• Meta tweaks
• 3.2.0
• Add TypeScript types as union type (#8)
• Move to GitHub Actions (#7)
• Meta tweaks
• Make the TypeScript type a union of the HTML tags (#5)
• 3.1.0
• Remove the deprecated `keygen` tag
• 3.0.0
• Meta tweaks
• Require Node.js 8, add TypeScript definition (#3)

↗️ known-css-properties (indirect, 0.11.0 → 0.30.0) · Repo

Release Notes

0.30.0

Update properties

• Chrome 119
• Firefox 119
• Chrome 120
• Firefox 120
• Chrome 121
• Firefox 121
• Chrome 122
• Firefox 122
• Samsung internet 23.0
• ios safari 17.3
• Safari 17.1
• w3c 2024/02/07

0.29.0

Update properties

• Safari 16.5
• Safari 17.0
• ios safari 17.0
• Chrome 116
• Chrome 117
• Chrome android 117
• Chrome 118
• Firefox 114
• Firefox 116
• Firefox 117
• Firefox 118
• Firefox android 118
• W3C data 2023/10/15

Update dependencies

• Update dependency globby to v13.2.2 by @renovate in #158
• Update dependency eslint to v8.51.0 by @renovate in #155

Full Changelog: v0.28.0...v0.29.0

0.28.0

• Chrome 111
• Chrome 112
• Chrome 113
• Chrome 114
• Chrome 114
• Chrome 115
• Firefox 111
• Firefox 112
• Firefox 113
• Firefox 115
• Chrome android 113
• Chrome android 114
• Firefox mobile 115
• Safari 16.4
• Samsung internet 22.0
• W3C data 2023/07/20

0.27.0

New properties

• Chrome 108
• Chrome 109
• Chrome 110
• Chrome android 110
• Firefox 107
• Firefox 108
• Firefox 109
• Firefox 110
• Firefox mobile 110
• Opera mobile 73
• Samsung internet 19.0
• W3C data 2023/02/19

Full Changelog: v0.26.0...v0.27.0

0.26.0

What's Changed

• Updates 2022/10/30 by @vio in #156
  • Chrome 101 - 107
  • Chrome android 101
  • Firefox 100 - 106
  • Firefox mobile 101
  • Firefox mobile 106
  • Safari 15.6
  • Safari 16.0
  • Safari ios 16.0
  • W3C data 2022/10/30
• Update dependency eslint to v8.18.0 by @renovate in #153
• Update dependency globby to v13.1.2 by @renovate in #154

Full Changelog: v0.25.0...v0.26.0

0.25.0

• Chrome Android 100 (e551ab3)
• iOS Safari 15.4 (958bcc2)
• Firefox Android 99 (33fa162)
• Safari 15.4 (19966c5)
• Firefox 99 (56b7444)
• Firefox 98 (28f76c9)
• Firefox 97 (a9a2eed)
• Firefox 96 (3bf1a8b)
• Chrome 100 (fdfd2b1)
• Chrome 99 (a494608)
• Chrome 98 (5fc2ab8)
• Chrome 97 (806c199)
• W3C data 2022/04/30 (098158c)

Full Changelog: v0.24.0...v0.25.0

0.24.0

Data

• 4f95595 W3C data 2021/12/09 (@vio)
• 48724cd Firefox 95 (@vio)
• 0548bed Firefox 94 (@vio)
• 693e979 Firefox 93 (@vio)
• 53da032 Firefox 92 (@vio)
• 0bbcd31 Firefox 91 (@vio)
• 088fd1e Firefox 90 (@vio)
• 8ceded5 Chrome 96 (@vio)
• 43b7f48 Chrome 95 (@vio)
• 78fafbc Chrome 94 (@vio)
• db4ec70 Chrome 93 (@vio)
• ea73fab Chrome 92 (@vio)
• 470259c Safari 15.1 (@vio)
• 056b526 Chrome Android 96 (@vio)
• 3632999 Chrome Android 94 (@vio)
• 1bdc6fa Firefox mobile 91 (@vio)
• 9934736 ios safari 15.1 (@vio)
• 43cab35 Samsung internet 9.0 (@vio)
• 44e287f UC Browser for Android 12.10 (@vio)
• 33885a4 Samsung internet 14.2 (@vio)
• d1288be UC Browser Android 13.4 (@vio)
• 0a231da Chrome Android 91 (@vio)

Improvements

• 9f47458 add typings (GitHub) (Thanks @Commandtechno!)

Dependencies

• 800c09d Update dependency eslint to v8 (Renovate Bot)
• d3833ca Update dependency axios to v0.21.2 [SECURITY] (Renovate Bot)
• e25fce7 Update dependency globby to v12.0.2 (Renovate Bot)
• 81d79cc Update dependency globby to v12 (Renovate Bot)
• 6d91286 Update dependency eslint to v7.32.0 (Renovate Bot)

0.23.0

• Chrome 89-91
• Firefox 86-89
• Safari OSX/iOS 14.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ postcss-safe-parser (indirect, 4.0.2 → 7.0.0) · Repo · Changelog

Release Notes

5.0.2 (from changelog)

• Added funding links.

5.0.1 (from changelog)

• Fixed parsing missed semicolon.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 43 commits:

• Release 7.0 version
• Update PostCSS peer req
• Remove Node 12, 14, 16 support
• Update dependencies and practies
• Bump postcss from 8.4.21 to 8.4.31 (#38)
• Update dependencies
• Update CI config
• Add funding option
• Add Tidelift links
• Add security note
• Update project practices
• Bump ansi-regex from 4.1.0 to 4.1.1 (#35)
• Bump minimist from 1.2.5 to 1.2.6 (#34)
• Bump nanoid from 3.1.30 to 3.2.0 (#33)
• Bump shelljs from 0.8.4 to 0.8.5 (#32)
• Update dependnecies
• Bump tmpl from 1.0.4 to 1.0.5 (#28)
• Bump set-getter from 0.1.0 to 0.1.1 (#27)
• Release 6.0 version
• Update peer dependencies
• Update development practices
• Clean up docs
• Bump glob-parent from 5.1.1 to 5.1.2 (#26)
• Bump ws from 7.3.1 to 7.4.6 (#25)
• Bump postcss from 8.1.0 to 8.2.10 (#24)
• Bump hosted-git-info from 2.8.8 to 2.8.9 (#23)
• Bump handlebars from 4.7.6 to 4.7.7 (#22)
• Bump node-notifier from 8.0.0 to 8.0.1 (#19)
• Release 5.0.2 version
• Update dependencies
• Add funding links
• Update dependencies
• Release 5.0.1 version
• Fix parsing missed semicolon
• Update dependencies
• Typo
• Release 5.0 version
• Use released PostCSS 8
• Update for latest PostCSS
• Update PostCSS
• Remove old config
• Use PostCSS 8 API
• Bump acorn from 5.7.3 to 5.7.4 (#16)

🆕 @​csstools/css-parser-algorithms (added, 2.6.1)

🆕 @​csstools/css-tokenizer (added, 2.2.4)

🆕 @​csstools/media-query-list-parser (added, 2.1.9)

🆕 @​csstools/selector-specificity (added, 3.0.2)

🆕 @​dual-bundle/import-meta-resolve (added, 4.0.0)

🆕 colord (added, 2.9.3)

🆕 css-functions-list (added, 3.2.1)

🆕 env-paths (added, 2.2.1)

🆕 lodash.truncate (added, 4.4.2)

🆕 nanoid (added, 3.3.7)

🆕 require-from-string (added, 2.0.2)

🆕 source-map-js (added, 1.2.0)

🆕 supports-hyperlinks (added, 3.0.0)

🗑️ @​mrmlnc/readdir-enhanced (removed)

🗑️ call-me-maybe (removed)

🗑️ clone-regexp (removed)

🗑️ decamelize-keys (removed)

🗑️ execall (removed)

🗑️ glob-to-regexp (removed)

🗑️ gonzales-pe (removed)

🗑️ is-supported-regexp-flag (removed)

🗑️ leven (removed)

🗑️ minimist-options (removed)

🗑️ normalize-selector (removed)

🗑️ postcss-html (removed)

🗑️ postcss-jsx (removed)

🗑️ postcss-less (removed)

🗑️ postcss-markdown (removed)

🗑️ postcss-reporter (removed)

🗑️ postcss-sass (removed)

🗑️ postcss-scss (removed)

🗑️ postcss-syntax (removed)

🗑️ quick-lru (removed)

🗑️ specificity (removed)

🗑️ style-search (removed)

🗑️ sugarss (removed)

🗑️ unist-util-find-all-after (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[codesandbox[bot]]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders
Open Preview

[depfu[bot]]

Closed in favor of #316.