search

iterative / mlem.ai

✨ Landing page for MLEM
https://mlem.ai/
BSD Zero Clause License
27 stars 12 forks source link

chore(deps): update dependency stylelint to v15.10.1 [security] - autoclosed #357

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
stylelint (source) 15.6.2 -> 15.10.1 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-f7xj-rg7h-mc87

Summary

Our meow dependency (which we use for our CLI) depended on semver@5.7.1. A vulnerability in this version of semver was recently identified and surfaced by npm audit:

Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw

Details

Original post by the reporter:

"my npm audit show the report

semver <7.5.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw No fix available

And my dependencies tree for semver show your package

├─┬ stylelint@15.9.0 │ └─┬ meow@9.0.0 │ └─┬ read-pkg-up@7.0.1 │ └─┬ read-pkg@5.2.0 │ └─┬ normalize-package-data@2.5.0 │ └── semver@5.7.1 deduped

I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."

Update your package to use the 'meow' version >=10"

PoC

N/A

Impact

We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.

⬇️ EDITED AFTER PUBLISHED ⬇️

Security fix backported to older semver versions

The same security fix has been backported to older semver versions of 5.x and 6.x. See the CVE-2022-25883 details.

So, you can fix this vulnerability by just updating semver in your project's dependency tree, instead of updating stylelint. For details, see the example:

package.json:

{
  "dependencies": {
    "stylelint": "15.10.0"
  }
}

Run npm audit (here is no alert for semver):

$ npm ci
...

$ npm audit
...
stylelint  8.0.0 - 15.10.0
Stylelint has vulnerability in semver dependency - https://github.com/advisories/GHSA-f7xj-rg7h-mc87
fix available via `npm audit fix --force`
Will install stylelint@15.10.1, which is outside the stated dependency range
node_modules/stylelint

1 low severity vulnerability
...

$ npm ls semver
...
└─┬ stylelint@15.10.0
  └─┬ meow@9.0.0
    ├─┬ normalize-package-data@3.0.3
    │ └── semver@7.5.4
    └─┬ read-pkg-up@7.0.1
      └─┬ read-pkg@5.2.0
        └─┬ normalize-package-data@2.5.0
          └── semver@5.7.2

Release Notes

stylelint/stylelint (stylelint) ### [`v15.10.1`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15101) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.10.0...15.10.1) - Security: fix for `semver` vulnerability ([#​7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: invalid option regression on Windows 10 ([#​7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@​romainmenke](https://togithub.com/romainmenke)). ### [`v15.10.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15100) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.9.0...15.10.0) - Added: `media-query-no-invalid` ([#​6963](https://togithub.com/stylelint/stylelint/pull/6963)) ([@​romainmenke](https://togithub.com/romainmenke)). - Added: support for JS objects with `extends` config option ([#​6998](https://togithub.com/stylelint/stylelint/pull/6998)) ([@​fpetrakov](https://togithub.com/fpetrakov)). - Fixed: inconsistent `errored` properties in `stylelint.lint()` return value ([#​6983](https://togithub.com/stylelint/stylelint/pull/6983)) ([@​ybiquitous](https://togithub.com/ybiquitous)). - Fixed: `{selector,value}-no-vendor-prefix` performance ([#​7016](https://togithub.com/stylelint/stylelint/pull/7016)) ([@​jeddy3](https://togithub.com/jeddy3)). - Fixed: `custom-property-pattern` performance ([#​7009](https://togithub.com/stylelint/stylelint/pull/7009)) ([@​jeddy3](https://togithub.com/jeddy3)). - Fixed: `function-linear-gradient-no-nonstandard-direction` false positives for `` ([#​6987](https://togithub.com/stylelint/stylelint/pull/6987)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `function-name-case` performance ([#​7010](https://togithub.com/stylelint/stylelint/pull/7010)) ([@​jeddy3](https://togithub.com/jeddy3)). - Fixed: `function-no-unknown` performance ([#​7004](https://togithub.com/stylelint/stylelint/pull/7004)) ([@​jeddy3](https://togithub.com/jeddy3)). - Fixed: `function-url-quotes` performance ([#​7011](https://togithub.com/stylelint/stylelint/pull/7011)) ([@​jeddy3](https://togithub.com/jeddy3)). - Fixed: `hue-degree-notation` false negatives for `oklch` ([#​7015](https://togithub.com/stylelint/stylelint/pull/7015)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `hue-degree-notation` performance ([#​7012](https://togithub.com/stylelint/stylelint/pull/7012)) ([@​jeddy3](https://togithub.com/jeddy3)). - Fixed: `media-feature-name-no-unknown` false positives for `environment-blending`, `nav-controls`, `prefers-reduced-data`, and `video-color-gamut` ([#​6978](https://togithub.com/stylelint/stylelint/pull/6978)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `media-feature-name-no-vendor-prefix` positions for `*-device-pixel-ratio` ([#​6977](https://togithub.com/stylelint/stylelint/pull/6977)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `no-descending-specificity` performance ([#​7026](https://togithub.com/stylelint/stylelint/pull/7026)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `no-duplicate-at-import-rules` false negatives for imports with `supports` and `layer` conditions ([#​7001](https://togithub.com/stylelint/stylelint/pull/7001)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `selector-anb-no-unmatchable` performance ([#​7042](https://togithub.com/stylelint/stylelint/pull/7042)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `selector-id-pattern` performance ([#​7013](https://togithub.com/stylelint/stylelint/pull/7013)) ([@​jeddy3](https://togithub.com/jeddy3)). - Fixed: `selector-pseudo-class-no-unknown` false negatives for pseudo-elements with matching names ([#​6964](https://togithub.com/stylelint/stylelint/pull/6964)) ([@​Mouvedia](https://togithub.com/Mouvedia)). - Fixed: `selector-pseudo-element-no-unknown` performance ([#​7007](https://togithub.com/stylelint/stylelint/pull/7007)) ([@​jeddy3](https://togithub.com/jeddy3)). - Fixed: `selector-type-case` performance ([#​7041](https://togithub.com/stylelint/stylelint/pull/7041)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `selector-type-no-unknown` performance ([#​7027](https://togithub.com/stylelint/stylelint/pull/7027)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `unit-disallowed-list` false negatives with percentages ([#​7018](https://togithub.com/stylelint/stylelint/pull/7018)) ([@​romainmenke](https://togithub.com/romainmenke)). ### [`v15.9.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1590) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.8.0...15.9.0) - Added: `insideFunctions: {"function": int}` to `number-max-precision` ([#​6932](https://togithub.com/stylelint/stylelint/pull/6932)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `border-radius` shorthand ([#​6958](https://togithub.com/stylelint/stylelint/pull/6958)) ([@​mattxwang](https://togithub.com/mattxwang)). - Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `border-width` shorthand ([#​6956](https://togithub.com/stylelint/stylelint/pull/6956)) ([@​mattxwang](https://togithub.com/mattxwang)). - Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `grid-column` and `grid-row` ([#​6957](https://togithub.com/stylelint/stylelint/pull/6957)) ([@​mattxwang](https://togithub.com/mattxwang)). ### [`v15.8.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1580) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.7.0...15.8.0) - Added: `media-feature-name-value-no-unknown` ([#​6906](https://togithub.com/stylelint/stylelint/pull/6906)) ([@​romainmenke](https://togithub.com/romainmenke)). - Added: support for `.mjs` configuration files ([#​6910](https://togithub.com/stylelint/stylelint/pull/6910)) ([@​ybiquitous](https://togithub.com/ybiquitous)). - Fixed: `--print-config` description in CLI help ([#​6914](https://togithub.com/stylelint/stylelint/pull/6914)) ([@​ybiquitous](https://togithub.com/ybiquitous)). - Fixed: `allowEmptyInput` option in configuration files ([#​6929](https://togithub.com/stylelint/stylelint/pull/6929)) ([@​ybiquitous](https://togithub.com/ybiquitous)). - Fixed: `custom-property-no-missing-var-function` performance ([#​6922](https://togithub.com/stylelint/stylelint/pull/6922)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `function-calc-no-unspaced-operator` performance ([#​6923](https://togithub.com/stylelint/stylelint/pull/6923)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `function-linear-gradient-no-nonstandard-direction` performance ([#​6924](https://togithub.com/stylelint/stylelint/pull/6924)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `function-no-unknown` false positives for SCSS functions with namespace ([#​6921](https://togithub.com/stylelint/stylelint/pull/6921)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `max-nesting-depth` error for at-rules in Sass syntax ([#​6909](https://togithub.com/stylelint/stylelint/pull/6909)) ([@​ybiquitous](https://togithub.com/ybiquitous)). - Fixed: `selector-anb-no-unmatchable` performance ([#​6925](https://togithub.com/stylelint/stylelint/pull/6925)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: remove `v8-compile-cache` dependency ([#​6907](https://togithub.com/stylelint/stylelint/pull/6907)) ([@​ybiquitous](https://togithub.com/ybiquitous)). ### [`v15.7.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1570) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.3...15.7.0) - Added: `splitList: boolean` to `selector-nested-pattern` ([#​6896](https://togithub.com/stylelint/stylelint/pull/6896)) ([@​is2ei](https://togithub.com/is2ei)). - Fixed: `unit-no-unknown` false positives for `unicode-range` descriptors ([#​6892](https://togithub.com/stylelint/stylelint/pull/6892)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: segmentation fault errors for Cosmiconfig 8.2 ([#​6902](https://togithub.com/stylelint/stylelint/pull/6902)) ([@​romainmenke](https://togithub.com/romainmenke)). ### [`v15.6.3`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1563) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.2...15.6.3) - Fixed: `alpha-value-notation` false positives for `color()` ([#​6885](https://togithub.com/stylelint/stylelint/pull/6885)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `alpha-value-notation` performance with improved benchmark script ([#​6864](https://togithub.com/stylelint/stylelint/pull/6864)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `at-rule-property-required-list` performance ([#​6865](https://togithub.com/stylelint/stylelint/pull/6865)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `color-*` performance ([#​6868](https://togithub.com/stylelint/stylelint/pull/6868)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `length-zero-no-unit` false positives on new math functions ([#​6871](https://togithub.com/stylelint/stylelint/pull/6871)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `string` formatter for unexpected truncation on non-ASCII characters ([#​6861](https://togithub.com/stylelint/stylelint/pull/6861)) ([@​Max10240](https://togithub.com/Max10240)). - Fixed: `unit-no-unknown` false positives for the second and subsequent `image-set()` with `x` descriptor ([#​6879](https://togithub.com/stylelint/stylelint/pull/6879)) ([@​romainmenke](https://togithub.com/romainmenke)).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.