Our meow dependency (which we use for our CLI) depended on semver@5.7.1. A vulnerability in this version of semver was recently identified and surfaced by npm audit:
I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."
Update your package to use the 'meow' version >=10"
PoC
N/A
Impact
We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.
⬇️ EDITED AFTER PUBLISHED ⬇️
Security fix backported to older semver versions
The same security fix has been backported to older semver versions of 5.x and 6.x. See the CVE-2022-25883 details.
So, you can fix this vulnerability by just updating semver in your project's dependency tree, instead of updating stylelint. For details, see the example:
package.json:
{
"dependencies": {
"stylelint": "15.10.0"
}
}
Run npm audit (here is no alert for semver):
$ npm ci
...
$ npm audit
...
stylelint 8.0.0 - 15.10.0
Stylelint has vulnerability in semver dependency - https://github.com/advisories/GHSA-f7xj-rg7h-mc87
fix available via `npm audit fix --force`
Will install stylelint@15.10.1, which is outside the stated dependency range
node_modules/stylelint
1 low severity vulnerability
...
$ npm ls semver
...
└─┬ stylelint@15.10.0
└─┬ meow@9.0.0
├─┬ normalize-package-data@3.0.3
│ └── semver@7.5.4
└─┬ read-pkg-up@7.0.1
└─┬ read-pkg@5.2.0
└─┬ normalize-package-data@2.5.0
└── semver@5.7.2
Release Notes
stylelint/stylelint (stylelint)
### [`v15.10.1`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15101)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.10.0...15.10.1)
- Security: fix for `semver` vulnerability ([#7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: invalid option regression on Windows 10 ([#7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@romainmenke](https://togithub.com/romainmenke)).
### [`v15.10.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15100)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.9.0...15.10.0)
- Added: `media-query-no-invalid` ([#6963](https://togithub.com/stylelint/stylelint/pull/6963)) ([@romainmenke](https://togithub.com/romainmenke)).
- Added: support for JS objects with `extends` config option ([#6998](https://togithub.com/stylelint/stylelint/pull/6998)) ([@fpetrakov](https://togithub.com/fpetrakov)).
- Fixed: inconsistent `errored` properties in `stylelint.lint()` return value ([#6983](https://togithub.com/stylelint/stylelint/pull/6983)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `{selector,value}-no-vendor-prefix` performance ([#7016](https://togithub.com/stylelint/stylelint/pull/7016)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `custom-property-pattern` performance ([#7009](https://togithub.com/stylelint/stylelint/pull/7009)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `function-linear-gradient-no-nonstandard-direction` false positives for `` ([#6987](https://togithub.com/stylelint/stylelint/pull/6987)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-name-case` performance ([#7010](https://togithub.com/stylelint/stylelint/pull/7010)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `function-no-unknown` performance ([#7004](https://togithub.com/stylelint/stylelint/pull/7004)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `function-url-quotes` performance ([#7011](https://togithub.com/stylelint/stylelint/pull/7011)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `hue-degree-notation` false negatives for `oklch` ([#7015](https://togithub.com/stylelint/stylelint/pull/7015)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `hue-degree-notation` performance ([#7012](https://togithub.com/stylelint/stylelint/pull/7012)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `media-feature-name-no-unknown` false positives for `environment-blending`, `nav-controls`, `prefers-reduced-data`, and `video-color-gamut` ([#6978](https://togithub.com/stylelint/stylelint/pull/6978)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `media-feature-name-no-vendor-prefix` positions for `*-device-pixel-ratio` ([#6977](https://togithub.com/stylelint/stylelint/pull/6977)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `no-descending-specificity` performance ([#7026](https://togithub.com/stylelint/stylelint/pull/7026)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `no-duplicate-at-import-rules` false negatives for imports with `supports` and `layer` conditions ([#7001](https://togithub.com/stylelint/stylelint/pull/7001)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `selector-anb-no-unmatchable` performance ([#7042](https://togithub.com/stylelint/stylelint/pull/7042)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `selector-id-pattern` performance ([#7013](https://togithub.com/stylelint/stylelint/pull/7013)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `selector-pseudo-class-no-unknown` false negatives for pseudo-elements with matching names ([#6964](https://togithub.com/stylelint/stylelint/pull/6964)) ([@Mouvedia](https://togithub.com/Mouvedia)).
- Fixed: `selector-pseudo-element-no-unknown` performance ([#7007](https://togithub.com/stylelint/stylelint/pull/7007)) ([@jeddy3](https://togithub.com/jeddy3)).
- Fixed: `selector-type-case` performance ([#7041](https://togithub.com/stylelint/stylelint/pull/7041)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `selector-type-no-unknown` performance ([#7027](https://togithub.com/stylelint/stylelint/pull/7027)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `unit-disallowed-list` false negatives with percentages ([#7018](https://togithub.com/stylelint/stylelint/pull/7018)) ([@romainmenke](https://togithub.com/romainmenke)).
### [`v15.9.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1590)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.8.0...15.9.0)
- Added: `insideFunctions: {"function": int}` to `number-max-precision` ([#6932](https://togithub.com/stylelint/stylelint/pull/6932)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `border-radius` shorthand ([#6958](https://togithub.com/stylelint/stylelint/pull/6958)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `border-width` shorthand ([#6956](https://togithub.com/stylelint/stylelint/pull/6956)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `grid-column` and `grid-row` ([#6957](https://togithub.com/stylelint/stylelint/pull/6957)) ([@mattxwang](https://togithub.com/mattxwang)).
### [`v15.8.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1580)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.7.0...15.8.0)
- Added: `media-feature-name-value-no-unknown` ([#6906](https://togithub.com/stylelint/stylelint/pull/6906)) ([@romainmenke](https://togithub.com/romainmenke)).
- Added: support for `.mjs` configuration files ([#6910](https://togithub.com/stylelint/stylelint/pull/6910)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `--print-config` description in CLI help ([#6914](https://togithub.com/stylelint/stylelint/pull/6914)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `allowEmptyInput` option in configuration files ([#6929](https://togithub.com/stylelint/stylelint/pull/6929)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `custom-property-no-missing-var-function` performance ([#6922](https://togithub.com/stylelint/stylelint/pull/6922)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-calc-no-unspaced-operator` performance ([#6923](https://togithub.com/stylelint/stylelint/pull/6923)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-linear-gradient-no-nonstandard-direction` performance ([#6924](https://togithub.com/stylelint/stylelint/pull/6924)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-no-unknown` false positives for SCSS functions with namespace ([#6921](https://togithub.com/stylelint/stylelint/pull/6921)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `max-nesting-depth` error for at-rules in Sass syntax ([#6909](https://togithub.com/stylelint/stylelint/pull/6909)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `selector-anb-no-unmatchable` performance ([#6925](https://togithub.com/stylelint/stylelint/pull/6925)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: remove `v8-compile-cache` dependency ([#6907](https://togithub.com/stylelint/stylelint/pull/6907)) ([@ybiquitous](https://togithub.com/ybiquitous)).
### [`v15.7.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1570)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.3...15.7.0)
- Added: `splitList: boolean` to `selector-nested-pattern` ([#6896](https://togithub.com/stylelint/stylelint/pull/6896)) ([@is2ei](https://togithub.com/is2ei)).
- Fixed: `unit-no-unknown` false positives for `unicode-range` descriptors ([#6892](https://togithub.com/stylelint/stylelint/pull/6892)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: segmentation fault errors for Cosmiconfig 8.2 ([#6902](https://togithub.com/stylelint/stylelint/pull/6902)) ([@romainmenke](https://togithub.com/romainmenke)).
### [`v15.6.3`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1563)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.2...15.6.3)
- Fixed: `alpha-value-notation` false positives for `color()` ([#6885](https://togithub.com/stylelint/stylelint/pull/6885)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `alpha-value-notation` performance with improved benchmark script ([#6864](https://togithub.com/stylelint/stylelint/pull/6864)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `at-rule-property-required-list` performance ([#6865](https://togithub.com/stylelint/stylelint/pull/6865)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `color-*` performance ([#6868](https://togithub.com/stylelint/stylelint/pull/6868)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `length-zero-no-unit` false positives on new math functions ([#6871](https://togithub.com/stylelint/stylelint/pull/6871)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `string` formatter for unexpected truncation on non-ASCII characters ([#6861](https://togithub.com/stylelint/stylelint/pull/6861)) ([@Max10240](https://togithub.com/Max10240)).
- Fixed: `unit-no-unknown` false positives for the second and subsequent `image-set()` with `x` descriptor ([#6879](https://togithub.com/stylelint/stylelint/pull/6879)) ([@romainmenke](https://togithub.com/romainmenke)).
### [`v15.6.2`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1562)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.1...15.6.2)
- Fixed: `alpha-value-notation` false negatives for `oklab()`, `oklch()`, and `color()` ([#6844](https://togithub.com/stylelint/stylelint/pull/6844)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix with `cubic-bezier()` ([#6841](https://togithub.com/stylelint/stylelint/pull/6841)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-no-unknown` false positives for unspaced operators against nested brackets ([#6842](https://togithub.com/stylelint/stylelint/pull/6842)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `function-url-quotes` false positives for SCSS `with()` construct ([#6847](https://togithub.com/stylelint/stylelint/pull/6847)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `media-feature-name-no-unknown` false positives for `not` and `or` ([#6838](https://togithub.com/stylelint/stylelint/pull/6838)) ([@romainmenke](https://togithub.com/romainmenke)).
### [`v15.6.1`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1561)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.6.0...15.6.1)
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `transition` ([#6815](https://togithub.com/stylelint/stylelint/pull/6815)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `github` formatter for missing final newline ([#6822](https://togithub.com/stylelint/stylelint/pull/6822)) ([@konomae](https://togithub.com/konomae)).
- Fixed: `selector-pseudo-class-no-unknown` false positive for `:modal` ([#6811](https://togithub.com/stylelint/stylelint/pull/6811)) ([@Yasir761](https://togithub.com/Yasir761)).
### [`v15.6.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1560)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.5.0...15.6.0)
- Added: `allowEmptyInput`, `cache`, `fix` options to configuration object ([#6778](https://togithub.com/stylelint/stylelint/pull/6778)) ([@mattxwang](https://togithub.com/mattxwang)).
- Added: `ignore: ["with-var-inside"]` to `color-function-notation` ([#6802](https://togithub.com/stylelint/stylelint/pull/6802)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `declaration-block-no-duplicate-properties` autofix for 3 or more duplicates ([#6801](https://togithub.com/stylelint/stylelint/pull/6801)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `declaration-block-no-duplicate-properties` false positives with option `ignore: ["consecutive-duplicates-with-different-syntaxes"]` ([#6797](https://togithub.com/stylelint/stylelint/pull/6797)) ([@romainmenke](https://togithub.com/romainmenke)).
- Fixed: `declaration-block-no-duplicate-properties` syntax error ([#6792](https://togithub.com/stylelint/stylelint/pull/6792)) ([@yoyo837](https://togithub.com/yoyo837)).
- Fixed: `declaration-block-no-redundant-longhand-properties` autofix for `grid-template` ([#6777](https://togithub.com/stylelint/stylelint/pull/6777)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `function-url-quotes` autofix for comments in SCSS function ([#6800](https://togithub.com/stylelint/stylelint/pull/6800)) ([@ybiquitous](https://togithub.com/ybiquitous)).
### [`v15.5.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#1550)
[Compare Source](https://togithub.com/stylelint/stylelint/compare/15.4.0...15.5.0)
- Added: `ignore: ["consecutive-duplicates-with-different-syntaxes"]` to `declaration-block-no-duplicate-properties` ([#6772](https://togithub.com/stylelint/stylelint/pull/6772)) ([@kimulaco](https://togithub.com/kimulaco)).
- Added: `ignoreProperties: []` to `declaration-block-no-duplicate-custom-properties` ([#6773](https://togithub.com/stylelint/stylelint/pull/6773)) ([@mattxwang](https://togithub.com/mattxwang)).
- Added: raw regex support to `ignoreProperties` for `declaration-block-no-duplicate-properties` ([#6764](https://togithub.com/stylelint/stylelint/pull/6764)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `block-no-empty` false positives with non-whitespace characters ([#6782](https://togithub.com/stylelint/stylelint/pull/6782)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `color-function-notation` false positives for namespaced imports ([#6774](https://togithub.com/stylelint/stylelint/pull/6774)) ([@mattxwang](https://togithub.com/mattxwang)).
- Fixed: `custom-property-empty-line-before` false positives for CSS-in-JS ([#6767](https://togithub.com/stylelint/stylelint/pull/6767)) ([@ybiquitous](https://togithub.com/ybiquitous)).
- Fixed: `media-feature-range-notation` parse error ([#6760](https://togithub.com/stylelint/stylelint/pull/6760)) ([@fpetrakov](https://togithub.com/fpetrakov)).
- Fixed: CLI help improvements ([#6783](https://togithub.com/stylelint/stylelint/pull/6783)) ([@ybiquitous](https://togithub.com/ybiquitous)).
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
15.4.0
->15.10.1
GitHub Vulnerability Alerts
GHSA-f7xj-rg7h-mc87
Summary
Our
meow
dependency (which we use for our CLI) depended onsemver@5.7.1
. A vulnerability in this version ofsemver
was recently identified and surfaced bynpm audit
:Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
Details
Original post by the reporter:
"my npm audit show the report
semver <7.5.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw No fix available
And my dependencies tree for semver show your package
├─┬ stylelint@15.9.0 │ └─┬ meow@9.0.0 │ └─┬ read-pkg-up@7.0.1 │ └─┬ read-pkg@5.2.0 │ └─┬ normalize-package-data@2.5.0 │ └── semver@5.7.1 deduped
I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."
Update your package to use the 'meow' version >=10"
PoC
N/A
Impact
We anticipate the impact to be low as Stylelint is a dev tool and
meow
is only used on the CLI pathway.⬇️ EDITED AFTER PUBLISHED ⬇️
Security fix backported to older
semver
versionsThe same security fix has been backported to older
semver
versions of 5.x and 6.x. See the CVE-2022-25883 details.So, you can fix this vulnerability by just updating
semver
in your project's dependency tree, instead of updatingstylelint
. For details, see the example:package.json
:Run
npm audit
(here is no alert forsemver
):Release Notes
stylelint/stylelint (stylelint)
### [`v15.10.1`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15101) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.10.0...15.10.1) - Security: fix for `semver` vulnerability ([#7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@romainmenke](https://togithub.com/romainmenke)). - Fixed: invalid option regression on Windows 10 ([#7043](https://togithub.com/stylelint/stylelint/pull/7043)) ([@romainmenke](https://togithub.com/romainmenke)). ### [`v15.10.0`](https://togithub.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#15100) [Compare Source](https://togithub.com/stylelint/stylelint/compare/15.9.0...15.10.0) - Added: `media-query-no-invalid` ([#6963](https://togithub.com/stylelint/stylelint/pull/6963)) ([@romainmenke](https://togithub.com/romainmenke)). - Added: support for JS objects with `extends` config option ([#6998](https://togithub.com/stylelint/stylelint/pull/6998)) ([@fpetrakov](https://togithub.com/fpetrakov)). - Fixed: inconsistent `errored` properties in `stylelint.lint()` return value ([#6983](https://togithub.com/stylelint/stylelint/pull/6983)) ([@ybiquitous](https://togithub.com/ybiquitous)). - Fixed: `{selector,value}-no-vendor-prefix` performance ([#7016](https://togithub.com/stylelint/stylelint/pull/7016)) ([@jeddy3](https://togithub.com/jeddy3)). - Fixed: `custom-property-pattern` performance ([#7009](https://togithub.com/stylelint/stylelint/pull/7009)) ([@jeddy3](https://togithub.com/jeddy3)). - Fixed: `function-linear-gradient-no-nonstandard-direction` false positives for `Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.