Page MenuHomePhabricator
Create Task
Maniphest T226029

npm: upgrade stylelint to 9.8.0 or higher
Closed, DuplicatePublic
Actions

Description

There's currently a node.js vulnerability in the braces package required indirectly by stylelint (stylelint > micromatch > braces).

It's fixed by upgrading stylelint to 9.8.0, which requires the micromatch version that first requires the fixed braces.

Affected extensions (per Github alert):

  • CodeReview
  • Collection
  • ContributionTracking

Related Objects

Event Timeline

Mholloway created this task.Jun 18 2019, 3:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 18 2019, 3:29 PM
Jdforrester-WMF subscribed.Jun 18 2019, 3:32 PM

There are hundreds of repos which have an old version of stylelint, because we've not done the batch run yet. See T225325 item 1.3.1. :-) Nothing to stop you doing it early in a few repos, but the bot will get to it eventually.

Mholloway added a comment.Jun 18 2019, 3:46 PM

Ah -- there's a bot for this. Are the GitHub alerts more or less safe to ignore, then?

Jdforrester-WMF added a comment.Jun 18 2019, 3:49 PM
In T226029#5265940, @Mholloway wrote:

Ah -- there's a bot for this. Are the GitHub alerts more or less safe to ignore, then?

LibUp "should" let us keep on top of things, but it's not perfect. In this case, it's low risk, so yes.

Mholloway closed this task as a duplicate of T225325: LibraryUpgrader CI normalisation tasks, June/July 2019.Jun 18 2019, 4:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL