search

mizdra / happy-css-modules

Typed, definition jumpable CSS Modules. Moreover, easy!
MIT License
213 stars 5 forks source link

Update dependency stylelint to v15.10.1 [SECURITY] #210

Closed renovate[bot] closed 12 months ago

renovate[bot] commented 12 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
stylelint (source) 15.4.0 -> 15.10.1 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-f7xj-rg7h-mc87

Summary

Our meow dependency (which we use for our CLI) depended on semver@5.7.1. A vulnerability in this version of semver was recently identified and surfaced by npm audit:

Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw

Details

Original post by the reporter:

"my npm audit show the report

semver <7.5.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw No fix available

And my dependencies tree for semver show your package

├─┬ stylelint@15.9.0 │ └─┬ meow@9.0.0 │ └─┬ read-pkg-up@7.0.1 │ └─┬ read-pkg@5.2.0 │ └─┬ normalize-package-data@2.5.0 │ └── semver@5.7.1 deduped

I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."

Update your package to use the 'meow' version >=10"

PoC

N/A

Impact

We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.

Release Notes

stylelint/stylelint (stylelint) ### [`v15.10.1`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15101) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.10.0...15.10.1) - Security: fix for `semver` vulnerability ([#​7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: invalid option regression on Windows 10 ([#​7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@​romainmenke](https://togithub.com/romainmenke)). ### [`v15.10.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15100) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.9.0...15.10.0) - Added: `media-query-no-invalid` ([#​6963](https://togithub.com/stylelint/stylelint/pull/6963)) ([@​romainmenke](https://togithub.com/romainmenke)). - Added: support for JS objects with `extends` config option ([#​6998](https://togithub.com/stylelint/stylelint/pull/6998)) ([@​fpetrakov](https://togithub.com/fpetrakov)). - Fixed: inconsistent `errored` properties in `stylelint.lint()` return value ([#​6983](https://togithub.com/stylelint/stylelint/pull/6983)) ([@​ybiquitous](https://togithub.com/ybiquitous)). - Fixed: `{selector,value}-no-vendor-prefix` performance ([#​7016](https://togithub.com/stylelint/stylelint/pull/7016)) ([@​jeddy3](https://togithub.com/jeddy3)). - Fixed: `custom-property-pattern` performance ([#​7009](https://togithub.com/stylelint/stylelint/pull/7009)) ([@​jeddy3](https://togithub.com/jeddy3)). - Fixed: `function-linear-gradient-no-nonstandard-direction` false positives for `` ([#​6987](https://togithub.com/stylelint/stylelint/pull/6987)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `function-name-case` performance ([#​7010](https://togithub.com/stylelint/stylelint/pull/7010)) ([@​jeddy3](https://togithub.com/jeddy3)). - Fixed: `function-no-unknown` performance ([#​7004](https://togithub.com/stylelint/stylelint/pull/7004)) ([@​jeddy3](https://togithub.com/jeddy3)). - Fixed: `function-url-quotes` performance ([#​7011](https://togithub.com/stylelint/stylelint/pull/7011)) ([@​jeddy3](https://togithub.com/jeddy3)). - Fixed: `hue-degree-notation` false negatives for `oklch` ([#​7015](https://togithub.com/stylelint/stylelint/pull/7015)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `hue-degree-notation` performance ([#​7012](https://togithub.com/stylelint/stylelint/pull/7012)) ([@​jeddy3](https://togithub.com/jeddy3)). - Fixed: `media-feature-name-no-unknown` false positives for `environment-blending`, `nav-controls`, `prefers-reduced-data`, and `video-color-gamut` ([#​6978](https://togithub.com/stylelint/stylelint/pull/6978)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `media-feature-name-no-vendor-prefix` positions for `*-device-pixel-ratio` ([#​6977](https://togithub.com/stylelint/stylelint/pull/6977)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `no-descending-specificity` performance ([#​7026](https://togithub.com/stylelint/stylelint/pull/7026)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `no-duplicate-at-import-rules` false negatives for imports with `supports` and `layer` conditions ([#​7001](https://togithub.com/stylelint/stylelint/pull/7001)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `selector-anb-no-unmatchable` performance ([#​7042](https://togithub.com/stylelint/stylelint/pull/7042)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `selector-id-pattern` performance ([#​7013](https://togithub.com/stylelint/stylelint/pull/7013)) ([@​jeddy3](https://togithub.com/jeddy3)). - Fixed: `selector-pseudo-class-no-unknown` false negatives for pseudo-elements with matching names ([#​6964](https://togithub.com/stylelint/stylelint/pull/6964)) ([@​Mouvedia](https://togithub.com/Mouvedia)). - Fixed: `selector-pseudo-element-no-unknown` performance ([#​7007](https://togithub.com/stylelint/stylelint/pull/7007)) ([@​jeddy3](https://togithub.com/jeddy3)). - Fixed: `selector-type-case` performance ([#​7041](https://togithub.com/stylelint/stylelint/pull/7041)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `selector-type-no-unknown` performance ([#​7027](https://togithub.com/stylelint/stylelint/pull/7027)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `unit-disallowed-list` false negatives with percentages ([#​7018](https://togithub.com/stylelint/stylelint/pull/7018)) ([@​romainmenke](https://togithub.com/romainmenke)). ### [`v15.9.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1590) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.8.0...15.9.0) - Added: `insideFunctions: {"function": int}` to `number-max-precision` ([#​6932](https://togithub.com/stylelint/stylelint/pull/6932)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `border-radius` shorthand ([#​6958](https://togithub.com/stylelint/stylelint/pull/6958)) ([@​mattxwang](https://togithub.com/mattxwang)). - Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `border-width` shorthand ([#​6956](https://togithub.com/stylelint/stylelint/pull/6956)) ([@​mattxwang](https://togithub.com/mattxwang)). - Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `grid-column` and `grid-row` ([#​6957](https://togithub.com/stylelint/stylelint/pull/6957)) ([@​mattxwang](https://togithub.com/mattxwang)). ### [`v15.8.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1580) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.7.0...15.8.0) - Added: `media-feature-name-value-no-unknown` ([#​6906](https://togithub.com/stylelint/stylelint/pull/6906)) ([@​romainmenke](https://togithub.com/romainmenke)). - Added: support for `.mjs` configuration files ([#​6910](https://togithub.com/stylelint/stylelint/pull/6910)) ([@​ybiquitous](https://togithub.com/ybiquitous)). - Fixed: `--print-config` description in CLI help ([#​6914](https://togithub.com/stylelint/stylelint/pull/6914)) ([@​ybiquitous](https://togithub.com/ybiquitous)). - Fixed: `allowEmptyInput` option in configuration files ([#​6929](https://togithub.com/stylelint/stylelint/pull/6929)) ([@​ybiquitous](https://togithub.com/ybiquitous)). - Fixed: `custom-property-no-missing-var-function` performance ([#​6922](https://togithub.com/stylelint/stylelint/pull/6922)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `function-calc-no-unspaced-operator` performance ([#​6923](https://togithub.com/stylelint/stylelint/pull/6923)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `function-linear-gradient-no-nonstandard-direction` performance ([#​6924](https://togithub.com/stylelint/stylelint/pull/6924)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `function-no-unknown` false positives for SCSS functions with namespace ([#​6921](https://togithub.com/stylelint/stylelint/pull/6921)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `max-nesting-depth` error for at-rules in Sass syntax ([#​6909](https://togithub.com/stylelint/stylelint/pull/6909)) ([@​ybiquitous](https://togithub.com/ybiquitous)). - Fixed: `selector-anb-no-unmatchable` performance ([#​6925](https://togithub.com/stylelint/stylelint/pull/6925)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: remove `v8-compile-cache` dependency ([#​6907](https://togithub.com/stylelint/stylelint/pull/6907)) ([@​ybiquitous](https://togithub.com/ybiquitous)). ### [`v15.7.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1570) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.3...15.7.0) - Added: `splitList: boolean` to `selector-nested-pattern` ([#​6896](https://togithub.com/stylelint/stylelint/pull/6896)) ([@​is2ei](https://togithub.com/is2ei)). - Fixed: `unit-no-unknown` false positives for `unicode-range` descriptors ([#​6892](https://togithub.com/stylelint/stylelint/pull/6892)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: segmentation fault errors for Cosmiconfig 8.2 ([#​6902](https://togithub.com/stylelint/stylelint/pull/6902)) ([@​romainmenke](https://togithub.com/romainmenke)). ### [`v15.6.3`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1563) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.2...15.6.3) - Fixed: `alpha-value-notation` false positives for `color()` ([#​6885](https://togithub.com/stylelint/stylelint/pull/6885)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `alpha-value-notation` performance with improved benchmark script ([#​6864](https://togithub.com/stylelint/stylelint/pull/6864)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `at-rule-property-required-list` performance ([#​6865](https://togithub.com/stylelint/stylelint/pull/6865)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `color-*` performance ([#​6868](https://togithub.com/stylelint/stylelint/pull/6868)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `length-zero-no-unit` false positives on new math functions ([#​6871](https://togithub.com/stylelint/stylelint/pull/6871)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `string` formatter for unexpected truncation on non-ASCII characters ([#​6861](https://togithub.com/stylelint/stylelint/pull/6861)) ([@​Max10240](https://togithub.com/Max10240)). - Fixed: `unit-no-unknown` false positives for the second and subsequent `image-set()` with `x` descriptor ([#​6879](https://togithub.com/stylelint/stylelint/pull/6879)) ([@​romainmenke](https://togithub.com/romainmenke)). ### [`v15.6.2`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1562) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.1...15.6.2) - Fixed: `alpha-value-notation` false negatives for `oklab()`, `oklch()`, and `color()` ([#​6844](https://togithub.com/stylelint/stylelint/pull/6844)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `declaration-block-no-redundant-longhand-properties` autofix with `cubic-bezier()` ([#​6841](https://togithub.com/stylelint/stylelint/pull/6841)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `function-no-unknown` false positives for unspaced operators against nested brackets ([#​6842](https://togithub.com/stylelint/stylelint/pull/6842)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `function-url-quotes` false positives for SCSS `with()` construct ([#​6847](https://togithub.com/stylelint/stylelint/pull/6847)) ([@​ybiquitous](https://togithub.com/ybiquitous)). - Fixed: `media-feature-name-no-unknown` false positives for `not` and `or` ([#​6838](https://togithub.com/stylelint/stylelint/pull/6838)) ([@​romainmenke](https://togithub.com/romainmenke)). ### [`v15.6.1`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1561) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.0...15.6.1) - Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `transition` ([#​6815](https://togithub.com/stylelint/stylelint/pull/6815)) ([@​mattxwang](https://togithub.com/mattxwang)). - Fixed: `github` formatter for missing final newline ([#​6822](https://togithub.com/stylelint/stylelint/pull/6822)) ([@​konomae](https://togithub.com/konomae)). - Fixed: `selector-pseudo-class-no-unknown` false positive for `:modal` ([#​6811](https://togithub.com/stylelint/stylelint/pull/6811)) ([@​Yasir761](https://togithub.com/Yasir761)). ### [`v15.6.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1560) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.5.0...15.6.0) - Added: `allowEmptyInput`, `cache`, `fix` options to configuration object ([#​6778](https://togithub.com/stylelint/stylelint/pull/6778)) ([@​mattxwang](https://togithub.com/mattxwang)). - Added: `ignore: ["with-var-inside"]` to `color-function-notation` ([#​6802](https://togithub.com/stylelint/stylelint/pull/6802)) ([@​mattxwang](https://togithub.com/mattxwang)). - Fixed: `declaration-block-no-duplicate-properties` autofix for 3 or more duplicates ([#​6801](https://togithub.com/stylelint/stylelint/pull/6801)) ([@​mattxwang](https://togithub.com/mattxwang)). - Fixed: `declaration-block-no-duplicate-properties` false positives with option `ignore: ["consecutive-duplicates-with-different-syntaxes"]` ([#​6797](https://togithub.com/stylelint/stylelint/pull/6797)) ([@​romainmenke](https://togithub.com/romainmenke)). - Fixed: `declaration-block-no-duplicate-properties` syntax error ([#​6792](https://togithub.com/stylelint/stylelint/pull/6792)) ([@​yoyo837](https://togithub.com/yoyo837)). - Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `grid-template` ([#​6777](https://togithub.com/stylelint/stylelint/pull/6777)) ([@​mattxwang](https://togithub.com/mattxwang)). - Fixed: `function-url-quotes` autofix for comments in SCSS function ([#​6800](https://togithub.com/stylelint/stylelint/pull/6800)) ([@​ybiquitous](https://togithub.com/ybiquitous)). ### [`v15.5.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1550) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.4.0...15.5.0) - Added: `ignore: ["consecutive-duplicates-with-different-syntaxes"]` to `declaration-block-no-duplicate-properties` ([#​6772](https://togithub.com/stylelint/stylelint/pull/6772)) ([@​kimulaco](https://togithub.com/kimulaco)). - Added: `ignoreProperties: []` to `declaration-block-no-duplicate-custom-properties` ([#​6773](https://togithub.com/stylelint/stylelint/pull/6773)) ([@​mattxwang](https://togithub.com/mattxwang)). - Added: raw regex support to `ignoreProperties` for `declaration-block-no-duplicate-properties` ([#​6764](https://togithub.com/stylelint/stylelint/pull/6764)) ([@​ybiquitous](https://togithub.com/ybiquitous)). - Fixed: `block-no-empty` false positives with non-whitespace characters ([#​6782](https://togithub.com/stylelint/stylelint/pull/6782)) ([@​ybiquitous](https://togithub.com/ybiquitous)). - Fixed: `color-function-notation` false positives for namespaced imports ([#​6774](https://togithub.com/stylelint/stylelint/pull/6774)) ([@​mattxwang](https://togithub.com/mattxwang)). - Fixed: `custom-property-empty-line-before` false positives for CSS-in-JS ([#​6767](https://togithub.com/stylelint/stylelint/pull/6767)) ([@​ybiquitous](https://togithub.com/ybiquitous)). - Fixed: `media-feature-range-notation` parse error ([#​6760](https://togithub.com/stylelint/stylelint/pull/6760)) ([@​fpetrakov](https://togithub.com/fpetrakov)). - Fixed: CLI help improvements ([#​6783](https://togithub.com/stylelint/stylelint/pull/6783)) ([@​ybiquitous](https://togithub.com/ybiquitous)).

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

This PR has been generated by Mend Renovate. View repository job log here.