logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-f7xj-rg7h-mc87 stylelint

Package

Manager: npm
Name: stylelint
Vulnerable Version: <0

Severity

Level: Low

CVSS v3.1: N/A

CVSS v4.0: N/A

EPSS: N/A pctlN/A

Details

Stylelint has vulnerability in semver dependency ### Summary Our `meow` dependency (which we use for our CLI) depended on `semver@5.7.1 `. A vulnerability in this version of `semver` was recently identified and surfaced by `npm audit`: Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw ### Details Original post by the reporter: "my npm audit show the report semver <7.5.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw No fix available And my dependencies tree for semver show your package ├─┬ stylelint@15.9.0 │ └─┬ meow@9.0.0 │ └─┬ read-pkg-up@7.0.1 │ └─┬ read-pkg@5.2.0 │ └─┬ normalize-package-data@2.5.0 │ └── semver@5.7.1 deduped I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it." Update your package to use the 'meow' version >=10" ### PoC N/A ### Impact We anticipate the impact to be low as Stylelint is a dev tool and `meow` is only used on the CLI pathway. --- ⬇️ EDITED AFTER PUBLISHED ⬇️ ### Security fix backported to older `semver` versions The same security fix has been backported to older `semver` versions of 5.x and 6.x. See the [CVE-2022-25883](https://github.com/advisories/GHSA-c2qf-rxjj-qqgw) details. So, you can fix this vulnerability by just updating `semver` in your project's dependency tree, instead of updating `stylelint`. For details, see the example: `package.json`: ```json { "dependencies": { "stylelint": "15.10.0" } } ``` Run `npm audit` (here is no alert for `semver`): ```console $ npm ci ... $ npm audit ... stylelint 8.0.0 - 15.10.0 Stylelint has vulnerability in semver dependency - https://github.com/advisories/GHSA-f7xj-rg7h-mc87 fix available via `npm audit fix --force` Will install stylelint@15.10.1, which is outside the stated dependency range node_modules/stylelint 1 low severity vulnerability ... $ npm ls semver ... └─┬ stylelint@15.10.0 └─┬ meow@9.0.0 ├─┬ normalize-package-data@3.0.3 │ └── semver@7.5.4 └─┬ read-pkg-up@7.0.1 └─┬ read-pkg@5.2.0 └─┬ normalize-package-data@2.5.0 └── semver@5.7.2 ```

Metadata

Created: 2023-07-07T20:32:55Z
Modified: 2023-07-13T16:49:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-f7xj-rg7h-mc87/GHSA-f7xj-rg7h-mc87.json
CWE IDs: []
Alternative ID: N/A
Finding: N/A
Auto approve: 0