During the security review for ext:EventStreamConfig, it was discovered with snyk.io's cli that stylelint-config-wikimedia has vulnerable dependencies via stylelint, namely:
- dot-prop@4.2.0, Prototype Pollution (medium risk)
- Introduced by stylelint-config-wikimedia@0.8.0 > stylelint@12.0.0 > postcss-selector-parser@3.1.1 > dot-prop@4.2.0. This issue was fixed in versions: 5.1.1. See also: https://snyk.io/vuln/SNYK-JS-DOTPROP-543489.
- kind-of@6.0.2, Information Disclosure (low risk)
- Introduced by stylelint-config-wikimedia@0.8.0 > stylelint@12.0.0 > global-modules@2.0.0 > global-prefix@3.0.0 > kind-of@6.0.2 and 44 other path(s). This issue was fixed in versions: 6.0.3. See also: https://snyk.io/vuln/SNYK-JS-KINDOF-537849.
The low-severity Vuln-Infoleak for kind-of appears to be resolved within the latest 13.1.0 release of stylelint. The medium-severity prototype pollution vulnerability for dot-prop still exists within the aforementioned 13.1.0 release, so I've filed a security issue with them via github.
Lastly, would it be a good idea to set up a formal security reporting policy for stylelint-config-wikimedia? I believe github is the canonical repo location for this code, correct?