Our meow dependency (which we use for our CLI) depended on semver@5.7.1. A vulnerability in this version of semver was recently identified and surfaced by npm audit:
I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."
Update your package to use the 'meow' version >=10"
PoC
N/A
Impact
We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.
⬇️ EDITED AFTER PUBLISHED ⬇️
Security fix backported to older semver versions
The same security fix has been backported to older semver versions of 5.x and 6.x. See the CVE-2022-25883 details.
So, you can fix this vulnerability by just updating semver in your project's dependency tree, instead of updating stylelint. For details, see the example:
package.json:
{
"dependencies": {
"stylelint": "15.10.0"
}
}
Run npm audit (here is no alert for semver):
$ npm ci
...
$ npm audit
...
stylelint 8.0.0 - 15.10.0
Stylelint has vulnerability in semver dependency - https://github.com/advisories/GHSA-f7xj-rg7h-mc87
fix available via `npm audit fix --force`
Will install stylelint@15.10.1, which is outside the stated dependency range
node_modules/stylelint
1 low severity vulnerability
...
$ npm ls semver
...
└─┬ stylelint@15.10.0
└─┬ meow@9.0.0
├─┬ normalize-package-data@3.0.3
│ └── semver@7.5.4
└─┬ read-pkg-up@7.0.1
└─┬ read-pkg@5.2.0
└─┬ normalize-package-data@2.5.0
└── semver@5.7.2
Release Notes
stylelint/stylelint (stylelint)
### [`v15.10.1`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15101)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.10.0...15.10.1)
- Security: fix for `semver` vulnerability ([#7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: invalid option regression on Windows 10 ([#7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@romainmenke](https://togithub.com/romainmenke)).
### [`v15.10.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15100)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.9.0...15.10.0)
- Added: `media-query-no-invalid` ([#6963](https://togithub.com/stylelint/stylelint/pull/6963)) ([@romainmenke](https://togithub.com/romainmenke)).
- Added: support for JS objects with `extends` config option ([#6998](https://togithub.com/stylelint/stylelint/pull/6998)) ([@fpetrakov](https://togithub.com/fpetrakov)).
- Fixed: inconsistent `errored` properties in `stylelint.lint()` return value ([#6983](https://togithub.com/stylelint/stylelint/pull/6983)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `{selector,value}-no-vendor-prefix` performance ([#7016](https://togithub.com/stylelint/stylelint/pull/7016)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `custom-property-pattern` performance ([#7009](https://togithub.com/stylelint/stylelint/pull/7009)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `function-linear-gradient-no-nonstandard-direction` false positives for `` ([#6987](https://togithub.com/stylelint/stylelint/pull/6987)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-name-case` performance ([#7010](https://togithub.com/stylelint/stylelint/pull/7010)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `function-no-unknown` performance ([#7004](https://togithub.com/stylelint/stylelint/pull/7004)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `function-url-quotes` performance ([#7011](https://togithub.com/stylelint/stylelint/pull/7011)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `hue-degree-notation` false negatives for `oklch` ([#7015](https://togithub.com/stylelint/stylelint/pull/7015)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `hue-degree-notation` performance ([#7012](https://togithub.com/stylelint/stylelint/pull/7012)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `media-feature-name-no-unknown` false positives for `environment-blending`, `nav-controls`, `prefers-reduced-data`, and `video-color-gamut` ([#6978](https://togithub.com/stylelint/stylelint/pull/6978)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `media-feature-name-no-vendor-prefix` positions for `*-device-pixel-ratio` ([#6977](https://togithub.com/stylelint/stylelint/pull/6977)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `no-descending-specificity` performance ([#7026](https://togithub.com/stylelint/stylelint/pull/7026)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `no-duplicate-at-import-rules` false negatives for imports with `supports` and `layer` conditions ([#7001](https://togithub.com/stylelint/stylelint/pull/7001)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `selector-anb-no-unmatchable` performance ([#7042](https://togithub.com/stylelint/stylelint/pull/7042)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `selector-id-pattern` performance ([#7013](https://togithub.com/stylelint/stylelint/pull/7013)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `selector-pseudo-class-no-unknown` false negatives for pseudo-elements with matching names ([#6964](https://togithub.com/stylelint/stylelint/pull/6964)) ([@Mouvedia](https://togithub.com/Mouvedia)).
- Fixed: `selector-pseudo-element-no-unknown` performance ([#7007](https://togithub.com/stylelint/stylelint/pull/7007)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `selector-type-case` performance ([#7041](https://togithub.com/stylelint/stylelint/pull/7041)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `selector-type-no-unknown` performance ([#7027](https://togithub.com/stylelint/stylelint/pull/7027)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `unit-disallowed-list` false negatives with percentages ([#7018](https://togithub.com/stylelint/stylelint/pull/7018)) ([@romainmenke](https://togithub.com/romainmenke)).
### [`v15.9.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1590)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.8.0...15.9.0)
- Added: `insideFunctions: {"function": int}` to `number-max-precision` ([#6932](https://togithub.com/stylelint/stylelint/pull/6932)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `border-radius` shorthand ([#6958](https://togithub.com/stylelint/stylelint/pull/6958)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `border-width` shorthand ([#6956](https://togithub.com/stylelint/stylelint/pull/6956)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `grid-column` and `grid-row` ([#6957](https://togithub.com/stylelint/stylelint/pull/6957)) ([@mattxwang](https://togithub.com/mattxwang)).
### [`v15.8.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1580)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.7.0...15.8.0)
- Added: `media-feature-name-value-no-unknown` ([#6906](https://togithub.com/stylelint/stylelint/pull/6906)) ([@romainmenke](https://togithub.com/romainmenke)).
- Added: support for `.mjs` configuration files ([#6910](https://togithub.com/stylelint/stylelint/pull/6910)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `--print-config` description in CLI help ([#6914](https://togithub.com/stylelint/stylelint/pull/6914)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `allowEmptyInput` option in configuration files ([#6929](https://togithub.com/stylelint/stylelint/pull/6929)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `custom-property-no-missing-var-function` performance ([#6922](https://togithub.com/stylelint/stylelint/pull/6922)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-calc-no-unspaced-operator` performance ([#6923](https://togithub.com/stylelint/stylelint/pull/6923)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-linear-gradient-no-nonstandard-direction` performance ([#6924](https://togithub.com/stylelint/stylelint/pull/6924)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-no-unknown` false positives for SCSS functions with namespace ([#6921](https://togithub.com/stylelint/stylelint/pull/6921)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `max-nesting-depth` error for at-rules in Sass syntax ([#6909](https://togithub.com/stylelint/stylelint/pull/6909)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `selector-anb-no-unmatchable` performance ([#6925](https://togithub.com/stylelint/stylelint/pull/6925)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: remove `v8-compile-cache` dependency ([#6907](https://togithub.com/stylelint/stylelint/pull/6907)) ([@ybiquitous](https://togithub.com/ybiquitous)).
### [`v15.7.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1570)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.3...15.7.0)
- Added: `splitList: boolean` to `selector-nested-pattern` ([#6896](https://togithub.com/stylelint/stylelint/pull/6896)) ([@is2ei](https://togithub.com/is2ei)).
- Fixed: `unit-no-unknown` false positives for `unicode-range` descriptors ([#6892](https://togithub.com/stylelint/stylelint/pull/6892)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: segmentation fault errors for Cosmiconfig 8.2 ([#6902](https://togithub.com/stylelint/stylelint/pull/6902)) ([@romainmenke](https://togithub.com/romainmenke)).
### [`v15.6.3`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1563)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.2...15.6.3)
- Fixed: `alpha-value-notation` false positives for `color()` ([#6885](https://togithub.com/stylelint/stylelint/pull/6885)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `alpha-value-notation` performance with improved benchmark script ([#6864](https://togithub.com/stylelint/stylelint/pull/6864)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `at-rule-property-required-list` performance ([#6865](https://togithub.com/stylelint/stylelint/pull/6865)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `color-*` performance ([#6868](https://togithub.com/stylelint/stylelint/pull/6868)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `length-zero-no-unit` false positives on new math functions ([#6871](https://togithub.com/stylelint/stylelint/pull/6871)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `string` formatter for unexpected truncation on non-ASCII characters ([#6861](https://togithub.com/stylelint/stylelint/pull/6861)) ([@Max10240](https://togithub.com/Max10240)).
- Fixed: `unit-no-unknown` false positives for the second and subsequent `image-set()` with `x` descriptor ([#6879](https://togithub.com/stylelint/stylelint/pull/6879)) ([@romainmenke](https://togithub.com/romainmenke)).
### [`v15.6.2`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1562)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.1...15.6.2)
- Fixed: `alpha-value-notation` false negatives for `oklab()`, `oklch()`, and `color()` ([#6844](https://togithub.com/stylelint/stylelint/pull/6844)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix with `cubic-bezier()` ([#6841](https://togithub.com/stylelint/stylelint/pull/6841)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-no-unknown` false positives for unspaced operators against nested brackets ([#6842](https://togithub.com/stylelint/stylelint/pull/6842)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-url-quotes` false positives for SCSS `with()` construct ([#6847](https://togithub.com/stylelint/stylelint/pull/6847)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `media-feature-name-no-unknown` false positives for `not` and `or` ([#6838](https://togithub.com/stylelint/stylelint/pull/6838)) ([@romainmenke](https://togithub.com/romainmenke)).
### [`v15.6.1`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1561)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.0...15.6.1)
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `transition` ([#6815](https://togithub.com/stylelint/stylelint/pull/6815)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `github` formatter for missing final newline ([#6822](https://togithub.com/stylelint/stylelint/pull/6822)) ([@konomae](https://togithub.com/konomae)).
- Fixed: `selector-pseudo-class-no-unknown` false positive for `:modal` ([#6811](https://togithub.com/stylelint/stylelint/pull/6811)) ([@Yasir761](https://togithub.com/Yasir761)).
### [`v15.6.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1560)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.5.0...15.6.0)
- Added: `allowEmptyInput`, `cache`, `fix` options to configuration object ([#6778](https://togithub.com/stylelint/stylelint/pull/6778)) ([@mattxwang](https://togithub.com/mattxwang)).
- Added: `ignore: ["with-var-inside"]` to `color-function-notation` ([#6802](https://togithub.com/stylelint/stylelint/pull/6802)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `declaration-block-no-duplicate-properties` autofix for 3 or more duplicates ([#6801](https://togithub.com/stylelint/stylelint/pull/6801)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `declaration-block-no-duplicate-properties` false positives with option `ignore: ["consecutive-duplicates-with-different-syntaxes"]` ([#6797](https://togithub.com/stylelint/stylelint/pull/6797)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `declaration-block-no-duplicate-properties` syntax error ([#6792](https://togithub.com/stylelint/stylelint/pull/6792)) ([@yoyo837](https://togithub.com/yoyo837)).
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `grid-template` ([#6777](https://togithub.com/stylelint/stylelint/pull/6777)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `function-url-quotes` autofix for comments in SCSS function ([#6800](https://togithub.com/stylelint/stylelint/pull/6800)) ([@ybiquitous](https://togithub.com/ybiquitous)).
### [`v15.5.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1550)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.4.0...15.5.0)
- Added: `ignore: ["consecutive-duplicates-with-different-syntaxes"]` to `declaration-block-no-duplicate-properties` ([#6772](https://togithub.com/stylelint/stylelint/pull/6772)) ([@kimulaco](https://togithub.com/kimulaco)).
- Added: `ignoreProperties: []` to `declaration-block-no-duplicate-custom-properties` ([#6773](https://togithub.com/stylelint/stylelint/pull/6773)) ([@mattxwang](https://togithub.com/mattxwang)).
- Added: raw regex support to `ignoreProperties` for `declaration-block-no-duplicate-properties` ([#6764](https://togithub.com/stylelint/stylelint/pull/6764)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `block-no-empty` false positives with non-whitespace characters ([#6782](https://togithub.com/stylelint/stylelint/pull/6782)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `color-function-notation` false positives for namespaced imports ([#6774](https://togithub.com/stylelint/stylelint/pull/6774)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `custom-property-empty-line-before` false positives for CSS-in-JS ([#6767](https://togithub.com/stylelint/stylelint/pull/6767)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `media-feature-range-notation` parse error ([#6760](https://togithub.com/stylelint/stylelint/pull/6760)) ([@fpetrakov](https://togithub.com/fpetrakov)).
- Fixed: CLI help improvements ([#6783](https://togithub.com/stylelint/stylelint/pull/6783)) ([@ybiquitous](https://togithub.com/ybiquitous)).
### [`v15.4.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1540)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.3.0...15.4.0)
- Added: `--quiet-deprecation-warnings` flag ([#6724](https://togithub.com/stylelint/stylelint/pull/6724)) ([@mattxwang](https://togithub.com/mattxwang)).
- Added: `-c` alias for `--config` ([#6720](https://togithub.com/stylelint/stylelint/pull/6720)) ([@sidverma32](https://togithub.com/sidverma32)).
- Added: `media-feature-range-notation` autofix ([#6742](https://togithub.com/stylelint/stylelint/pull/6742)) ([@romainmenke](https://togithub.com/romainmenke)).
- Added: `no-unknown-custom-properties` rule ([#6731](https://togithub.com/stylelint/stylelint/pull/6731)) ([@jameschensmith](https://togithub.com/jameschensmith)).
- Fixed: `function-url-quotes` autofix for double-slash comments in SCSS maps ([#6745](https://togithub.com/stylelint/stylelint/pull/6745)) ([@jgerigmeyer](https://togithub.com/jgerigmeyer)).
- Fixed: `isPathIgnored()` utility's performance ([#6728](https://togithub.com/stylelint/stylelint/pull/6728)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `rule-selector-property-disallowed-list` secondary options ([#6723](https://togithub.com/stylelint/stylelint/pull/6723)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `declaration-block-no-redundant-longhand-properties` with basic keywords ([#6748](https://togithub.com/stylelint/stylelint/pull/6748)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: deprecation warnings for disabled rules ([#6747](https://togithub.com/stylelint/stylelint/pull/6747)) ([@ybiquitous](https://togithub.com/ybiquitous)).
### [`v15.3.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1530)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.2.0...15.3.0)
- Added: `configurationComment` configuration property ([#6629](https://togithub.com/stylelint/stylelint/pull/6629)) ([@ifitzpatrick](https://togithub.com/ifitzpatrick)).
- Added: `selector-anb-no-unmatchable` rule ([#6678](https://togithub.com/stylelint/stylelint/pull/6678)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: TypeScript error for CommonJS importing ([#6703](https://togithub.com/stylelint/stylelint/pull/6703)) ([@remcohaszing](https://togithub.com/remcohaszing)).
- Fixed: `*-no-redundant-*` false negatives for `inset` shorthand ([#6699](https://togithub.com/stylelint/stylelint/pull/6699)) ([@rayrw](https://togithub.com/rayrw)).
- Fixed: `function-url-quotes` autofix for multiple `url()` ([#6711](https://togithub.com/stylelint/stylelint/pull/6711)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `value-keyword-case` false positives for Level 4 system colours ([#6712](https://togithub.com/stylelint/stylelint/pull/6712)) ([@thewilkybarkid](https://togithub.com/thewilkybarkid)).
### [`v15.2.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1520)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.1.0...15.2.0)
- Added: `messageArgs` to 76 rules ([#6589](https://togithub.com/stylelint/stylelint/pull/6589)) ([@kizu](https://togithub.com/kizu)).
- Fixed: TypeScript error to export `Plugin` and `RuleContext` ([#6664](https://togithub.com/stylelint/stylelint/pull/6664)) ([@henryruhs](https://togithub.com/henryruhs)).
- Fixed: `overrides.extends` order when including same rules ([#6660](https://togithub.com/stylelint/stylelint/pull/6660)) ([@kuoruan](https://togithub.com/kuoruan)).
- Fixed: `annotation-no-unknown` false positives for CSS-in-JS template literals ([#6666](https://togithub.com/stylelint/stylelint/pull/6666)) ([@hudochenkov](https://togithub.com/hudochenkov)).
- Fixed: `declaration-property-value-no-unknown` false positives for at-rule descriptors ([#6669](https://togithub.com/stylelint/stylelint/pull/6669)) ([@FloEdelmann](https://togithub.com/FloEdelmann)).
- Fixed: `declaration-property-value-no-unknown` parse error for `alpha(opacity=n)` to report as violation ([#6650](https://togithub.com/stylelint/stylelint/pull/6650)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-name-case` false positives for CSS-in-JS template literals ([#6666](https://togithub.com/stylelint/stylelint/pull/6666)) ([@hudochenkov](https://togithub.com/hudochenkov)).
- Fixed: `function-no-unknown` false positives for CSS-in-JS template literals ([#6666](https://togithub.com/stylelint/stylelint/pull/6666)) ([@hudochenkov](https://togithub.com/hudochenkov)).
- Fixed: `unit-no-unknown` false positives for CSS-in-JS template literals ([#6666](https://togithub.com/stylelint/stylelint/pull/6666)) ([@hudochenkov](https://togithub.com/hudochenkov)).
- Fixed: `value-keyword-case` false positives for CSS-in-JS template literals ([#6666](https://togithub.com/stylelint/stylelint/pull/6666)) ([@hudochenkov](https://togithub.com/hudochenkov)).
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
15.1.0->15.10.1GitHub Vulnerability Alerts
GHSA-f7xj-rg7h-mc87
Summary
Our
meowdependency (which we use for our CLI) depended onsemver@5.7.1. A vulnerability in this version ofsemverwas recently identified and surfaced bynpm audit:Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
Details
Original post by the reporter:
"my npm audit show the report
semver <7.5.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw No fix available
And my dependencies tree for semver show your package
├─┬ stylelint@15.9.0 │ └─┬ meow@9.0.0 │ └─┬ read-pkg-up@7.0.1 │ └─┬ read-pkg@5.2.0 │ └─┬ normalize-package-data@2.5.0 │ └── semver@5.7.1 deduped
I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."
Update your package to use the 'meow' version >=10"
PoC
N/A
Impact
We anticipate the impact to be low as Stylelint is a dev tool and
meowis only used on the CLI pathway.⬇️ EDITED AFTER PUBLISHED ⬇️
Security fix backported to older
semverversionsThe same security fix has been backported to older
semverversions of 5.x and 6.x. See the CVE-2022-25883 details.So, you can fix this vulnerability by just updating
semverin your project's dependency tree, instead of updatingstylelint. For details, see the example:package.json:Run
npm audit(here is no alert forsemver):Release Notes
stylelint/stylelint (stylelint)
### [`v15.10.1`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15101) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.10.0...15.10.1) - Security: fix for `semver` vulnerability ([#7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@romainmenke](https://togithub.com/romainmenke)). - Fixed: invalid option regression on Windows 10 ([#7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@romainmenke](https://togithub.com/romainmenke)). ### [`v15.10.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15100) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.9.0...15.10.0) - Added: `media-query-no-invalid` ([#6963](https://togithub.com/stylelint/stylelint/pull/6963)) ([@romainmenke](https://togithub.com/romainmenke)). - Added: support for JS objects with `extends` config option ([#6998](https://togithub.com/stylelint/stylelint/pull/6998)) ([@fpetrakov](https://togithub.com/fpetrakov)). - Fixed: inconsistent `errored` properties in `stylelint.lint()` return value ([#6983](https://togithub.com/stylelint/stylelint/pull/6983)) ([@ybiquitous](https://togithub.com/ybiquitous)). - Fixed: `{selector,value}-no-vendor-prefix` performance ([#7016](https://togithub.com/stylelint/stylelint/pull/7016)) ([@jeddy3](https://togithub.com/jeddy3)). - Fixed: `custom-property-pattern` performance ([#7009](https://togithub.com/stylelint/stylelint/pull/7009)) ([@jeddy3](https://togithub.com/jeddy3)). - Fixed: `function-linear-gradient-no-nonstandard-direction` false positives for `Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.