Our meow dependency (which we use for our CLI) depended on semver@5.7.1. A vulnerability in this version of semver was recently identified and surfaced by npm audit:
I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."
Update your package to use the 'meow' version >=10"
PoC
N/A
Impact
We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.
Release Notes
stylelint/stylelint (stylelint)
### [`v15.10.1`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15101)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.10.0...15.10.1)
- Security: fix for `semver` vulnerability ([#7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: invalid option regression on Windows 10 ([#7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@romainmenke](https://togithub.com/romainmenke)).
### [`v15.10.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15100)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.9.0...15.10.0)
- Added: `media-query-no-invalid` ([#6963](https://togithub.com/stylelint/stylelint/pull/6963)) ([@romainmenke](https://togithub.com/romainmenke)).
- Added: support for JS objects with `extends` config option ([#6998](https://togithub.com/stylelint/stylelint/pull/6998)) ([@fpetrakov](https://togithub.com/fpetrakov)).
- Fixed: inconsistent `errored` properties in `stylelint.lint()` return value ([#6983](https://togithub.com/stylelint/stylelint/pull/6983)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `{selector,value}-no-vendor-prefix` performance ([#7016](https://togithub.com/stylelint/stylelint/pull/7016)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `custom-property-pattern` performance ([#7009](https://togithub.com/stylelint/stylelint/pull/7009)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `function-linear-gradient-no-nonstandard-direction` false positives for `` ([#6987](https://togithub.com/stylelint/stylelint/pull/6987)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-name-case` performance ([#7010](https://togithub.com/stylelint/stylelint/pull/7010)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `function-no-unknown` performance ([#7004](https://togithub.com/stylelint/stylelint/pull/7004)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `function-url-quotes` performance ([#7011](https://togithub.com/stylelint/stylelint/pull/7011)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `hue-degree-notation` false negatives for `oklch` ([#7015](https://togithub.com/stylelint/stylelint/pull/7015)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `hue-degree-notation` performance ([#7012](https://togithub.com/stylelint/stylelint/pull/7012)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `media-feature-name-no-unknown` false positives for `environment-blending`, `nav-controls`, `prefers-reduced-data`, and `video-color-gamut` ([#6978](https://togithub.com/stylelint/stylelint/pull/6978)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `media-feature-name-no-vendor-prefix` positions for `*-device-pixel-ratio` ([#6977](https://togithub.com/stylelint/stylelint/pull/6977)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `no-descending-specificity` performance ([#7026](https://togithub.com/stylelint/stylelint/pull/7026)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `no-duplicate-at-import-rules` false negatives for imports with `supports` and `layer` conditions ([#7001](https://togithub.com/stylelint/stylelint/pull/7001)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `selector-anb-no-unmatchable` performance ([#7042](https://togithub.com/stylelint/stylelint/pull/7042)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `selector-id-pattern` performance ([#7013](https://togithub.com/stylelint/stylelint/pull/7013)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `selector-pseudo-class-no-unknown` false negatives for pseudo-elements with matching names ([#6964](https://togithub.com/stylelint/stylelint/pull/6964)) ([@Mouvedia](https://togithub.com/Mouvedia)).
- Fixed: `selector-pseudo-element-no-unknown` performance ([#7007](https://togithub.com/stylelint/stylelint/pull/7007)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `selector-type-case` performance ([#7041](https://togithub.com/stylelint/stylelint/pull/7041)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `selector-type-no-unknown` performance ([#7027](https://togithub.com/stylelint/stylelint/pull/7027)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `unit-disallowed-list` false negatives with percentages ([#7018](https://togithub.com/stylelint/stylelint/pull/7018)) ([@romainmenke](https://togithub.com/romainmenke)).
### [`v15.9.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1590)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.8.0...15.9.0)
- Added: `insideFunctions: {"function": int}` to `number-max-precision` ([#6932](https://togithub.com/stylelint/stylelint/pull/6932)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `border-radius` shorthand ([#6958](https://togithub.com/stylelint/stylelint/pull/6958)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `border-width` shorthand ([#6956](https://togithub.com/stylelint/stylelint/pull/6956)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `grid-column` and `grid-row` ([#6957](https://togithub.com/stylelint/stylelint/pull/6957)) ([@mattxwang](https://togithub.com/mattxwang)).
### [`v15.8.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1580)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.7.0...15.8.0)
- Added: `media-feature-name-value-no-unknown` ([#6906](https://togithub.com/stylelint/stylelint/pull/6906)) ([@romainmenke](https://togithub.com/romainmenke)).
- Added: support for `.mjs` configuration files ([#6910](https://togithub.com/stylelint/stylelint/pull/6910)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `--print-config` description in CLI help ([#6914](https://togithub.com/stylelint/stylelint/pull/6914)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `allowEmptyInput` option in configuration files ([#6929](https://togithub.com/stylelint/stylelint/pull/6929)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `custom-property-no-missing-var-function` performance ([#6922](https://togithub.com/stylelint/stylelint/pull/6922)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-calc-no-unspaced-operator` performance ([#6923](https://togithub.com/stylelint/stylelint/pull/6923)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-linear-gradient-no-nonstandard-direction` performance ([#6924](https://togithub.com/stylelint/stylelint/pull/6924)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-no-unknown` false positives for SCSS functions with namespace ([#6921](https://togithub.com/stylelint/stylelint/pull/6921)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `max-nesting-depth` error for at-rules in Sass syntax ([#6909](https://togithub.com/stylelint/stylelint/pull/6909)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `selector-anb-no-unmatchable` performance ([#6925](https://togithub.com/stylelint/stylelint/pull/6925)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: remove `v8-compile-cache` dependency ([#6907](https://togithub.com/stylelint/stylelint/pull/6907)) ([@ybiquitous](https://togithub.com/ybiquitous)).
### [`v15.7.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1570)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.3...15.7.0)
- Added: `splitList: boolean` to `selector-nested-pattern` ([#6896](https://togithub.com/stylelint/stylelint/pull/6896)) ([@is2ei](https://togithub.com/is2ei)).
- Fixed: `unit-no-unknown` false positives for `unicode-range` descriptors ([#6892](https://togithub.com/stylelint/stylelint/pull/6892)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: segmentation fault errors for Cosmiconfig 8.2 ([#6902](https://togithub.com/stylelint/stylelint/pull/6902)) ([@romainmenke](https://togithub.com/romainmenke)).
### [`v15.6.3`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1563)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.2...15.6.3)
- Fixed: `alpha-value-notation` false positives for `color()` ([#6885](https://togithub.com/stylelint/stylelint/pull/6885)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `alpha-value-notation` performance with improved benchmark script ([#6864](https://togithub.com/stylelint/stylelint/pull/6864)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `at-rule-property-required-list` performance ([#6865](https://togithub.com/stylelint/stylelint/pull/6865)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `color-*` performance ([#6868](https://togithub.com/stylelint/stylelint/pull/6868)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `length-zero-no-unit` false positives on new math functions ([#6871](https://togithub.com/stylelint/stylelint/pull/6871)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `string` formatter for unexpected truncation on non-ASCII characters ([#6861](https://togithub.com/stylelint/stylelint/pull/6861)) ([@Max10240](https://togithub.com/Max10240)).
- Fixed: `unit-no-unknown` false positives for the second and subsequent `image-set()` with `x` descriptor ([#6879](https://togithub.com/stylelint/stylelint/pull/6879)) ([@romainmenke](https://togithub.com/romainmenke)).
Configuration
📅 Schedule: Branch creation - "" in timezone America/Lima, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
15.6.2->15.10.1GitHub Vulnerability Alerts
GHSA-f7xj-rg7h-mc87
Summary
Our
meowdependency (which we use for our CLI) depended onsemver@5.7.1. A vulnerability in this version ofsemverwas recently identified and surfaced bynpm audit:Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
Details
Original post by the reporter:
"my npm audit show the report
semver <7.5.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw No fix available
And my dependencies tree for semver show your package
├─┬ stylelint@15.9.0 │ └─┬ meow@9.0.0 │ └─┬ read-pkg-up@7.0.1 │ └─┬ read-pkg@5.2.0 │ └─┬ normalize-package-data@2.5.0 │ └── semver@5.7.1 deduped
I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."
Update your package to use the 'meow' version >=10"
PoC
N/A
Impact
We anticipate the impact to be low as Stylelint is a dev tool and
meowis only used on the CLI pathway.Release Notes
stylelint/stylelint (stylelint)
### [`v15.10.1`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15101) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.10.0...15.10.1) - Security: fix for `semver` vulnerability ([#7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@romainmenke](https://togithub.com/romainmenke)). - Fixed: invalid option regression on Windows 10 ([#7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@romainmenke](https://togithub.com/romainmenke)). ### [`v15.10.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15100) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.9.0...15.10.0) - Added: `media-query-no-invalid` ([#6963](https://togithub.com/stylelint/stylelint/pull/6963)) ([@romainmenke](https://togithub.com/romainmenke)). - Added: support for JS objects with `extends` config option ([#6998](https://togithub.com/stylelint/stylelint/pull/6998)) ([@fpetrakov](https://togithub.com/fpetrakov)). - Fixed: inconsistent `errored` properties in `stylelint.lint()` return value ([#6983](https://togithub.com/stylelint/stylelint/pull/6983)) ([@ybiquitous](https://togithub.com/ybiquitous)). - Fixed: `{selector,value}-no-vendor-prefix` performance ([#7016](https://togithub.com/stylelint/stylelint/pull/7016)) ([@jeddy3](https://togithub.com/jeddy3)). - Fixed: `custom-property-pattern` performance ([#7009](https://togithub.com/stylelint/stylelint/pull/7009)) ([@jeddy3](https://togithub.com/jeddy3)). - Fixed: `function-linear-gradient-no-nonstandard-direction` false positives for `Configuration
📅 Schedule: Branch creation - "" in timezone America/Lima, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.