chore(deps): update dependency stylelint to v15.10.1 [security] - autoclosed

[plural-renovate]

This PR contains the following updates:

Package	Type	Update	Change
stylelint (source)	devDependencies	minor	15.9.0 -> 15.10.1

GitHub Vulnerability Alerts

GHSA-f7xj-rg7h-mc87

Summary

Our meow dependency (which we use for our CLI) depended on [email protected] . A vulnerability in this version of semver was recently identified and surfaced by npm audit:

Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw

Details

Original post by the reporter:

"my npm audit show the report

semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available

And my dependencies tree for semver show your package

├─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected] deduped

I found that [email protected] contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."

Update your package to use the 'meow' version >=10"

PoC

N/A

Impact

We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.

---

⬇️ EDITED AFTER PUBLISHED ⬇️

Security fix backported to older semver versions

The same security fix has been backported to older semver versions of 5.x and 6.x. See the CVE-2022-25883 details.

So, you can fix this vulnerability by just updating semver in your project's dependency tree, instead of updating stylelint. For details, see the example:

package.json:

{
  "dependencies": {
    "stylelint": "15.10.0"
  }
}

Run npm audit (here is no alert for semver):

$ npm ci
...

$ npm audit
...
stylelint  8.0.0 - 15.10.0
Stylelint has vulnerability in semver dependency - https://github.com/advisories/GHSA-f7xj-rg7h-mc87
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/stylelint

1 low severity vulnerability
...

$ npm ls semver
...
└─┬ [email protected]
  └─┬ [email protected]
    ├─┬ [email protected]
    │ └── [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └─┬ [email protected]
          └── [email protected]

---

Release Notes

stylelint/stylelint (stylelint)

v15.10.1

Compare Source

• Security: fix for semver vulnerability (#​7043) (@​romainmenke).
• Fixed: invalid option regression on Windows 10 (#​7043) (@​romainmenke).

v15.10.0

Compare Source

• Added: media-query-no-invalid (#​6963) (@​romainmenke).
• Added: support for JS objects with extends config option (#​6998) (@​fpetrakov).
• Fixed: inconsistent errored properties in stylelint.lint() return value (#​6983) (@​ybiquitous).
• Fixed: {selector,value}-no-vendor-prefix performance (#​7016) (@​jeddy3).
• Fixed: custom-property-pattern performance (#​7009) (@​jeddy3).
• Fixed: function-linear-gradient-no-nonstandard-direction false positives for <color-interpolation-method> (#​6987) (@​romainmenke).
• Fixed: function-name-case performance (#​7010) (@​jeddy3).
• Fixed: function-no-unknown performance (#​7004) (@​jeddy3).
• Fixed: function-url-quotes performance (#​7011) (@​jeddy3).
• Fixed: hue-degree-notation false negatives for oklch (#​7015) (@​romainmenke).
• Fixed: hue-degree-notation performance (#​7012) (@​jeddy3).
• Fixed: media-feature-name-no-unknown false positives for environment-blending, nav-controls, prefers-reduced-data, and video-color-gamut (#​6978) (@​romainmenke).
• Fixed: media-feature-name-no-vendor-prefix positions for *-device-pixel-ratio (#​6977) (@​romainmenke).
• Fixed: no-descending-specificity performance (#​7026) (@​romainmenke).
• Fixed: no-duplicate-at-import-rules false negatives for imports with supports and layer conditions (#​7001) (@​romainmenke).
• Fixed: selector-anb-no-unmatchable performance (#​7042) (@​romainmenke).
• Fixed: selector-id-pattern performance (#​7013) (@​jeddy3).
• Fixed: selector-pseudo-class-no-unknown false negatives for pseudo-elements with matching names (#​6964) (@​Mouvedia).
• Fixed: selector-pseudo-element-no-unknown performance (#​7007) (@​jeddy3).
• Fixed: selector-type-case performance (#​7041) (@​romainmenke).
• Fixed: selector-type-no-unknown performance (#​7027) (@​romainmenke).
• Fixed: unit-disallowed-list false negatives with percentages (#​7018) (@​romainmenke).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

[netlify]

✅ Deploy Preview for plural-marketing ready!

Name	Link
🔨 Latest commit	50d61be
🔍 Latest deploy log	https://app.netlify.com/sites/plural-marketing/deploys/64a8b48cb86b800008b6b077
😎 Deploy Preview	https://deploy-preview-36--plural-marketing.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.