Closed SaptakS closed 1 year ago
SaptakS
commented
1 year ago I am actually unable to reproduce this. I tried doing npm-install and it worked fine. I even tried removing node_modules and then installing again, and still worked. 🤔 Also the only mentioned stylelint packages in package.json, I would think that should update everything that needs to be updated.
SaptakS
commented
1 year ago Okay. I was able to reproduce after updating npm. Seems like it is because the dependencies of @wagtail/stylelint-config-wagtail have not been updated for stylelint. I can probably create a PR to that repo and poke Thibaud to take a look at it.
Not sure we can update here otherwise.
harrislapiroff
commented
1 year ago No word from @thibaudcolas but saptak may put in a PR upstream to fix
SaptakS
commented
1 year ago There is a PR now https://github.com/wagtail/stylelint-config-wagtail/pull/34. Thibaud is reviewing it now. Might be able to update this PR soon (along with the other npm dependency updates that we need to do)
SaptakS
commented
1 year ago @chigby this is ready for re-review
The vulnerability is actually in the yaml package, which is a dependency of cosmiconfig, which is a dependency of postcss-loader. However updating postcss-loader, updates cosmiconfig, and the cosmiconfig latest version uses js-yaml instead of yaml. So I have just updated the entire dependency chain to hopefully resolve the vulnerability.
I also updated stylelint and stylelint related packages which also depended on cosmiconfig.