During the [[ https://phabricator.wikimedia.org/T242124#5860364 | security review for ext:EventStreamConfig ]], it was discovered with snyk.io's cli that stylelint-config-wikimedia has vulnerable dependencies via [[ https://github.com/stylelint/stylelint | stylelint ]], namely:
# **dot-prop@4.2.0, Prototype Pollution (medium risk)**
* Introduced by stylelint-config-wikimedia@0.8.0 > stylelint@12.0.0 > postcss-selector-parser@3.1.1 > dot-prop@4.2.0. This issue was fixed in versions: 5.1.1. See also: https://snyk.io/vuln/SNYK-JS-DOTPROP-543489.
# **kind-of@6.0.2, Information Disclosure (low risk)**
* Introduced by stylelint-config-wikimedia@0.8.0 > stylelint@12.0.0 > global-modules@2.0.0 > global-prefix@3.0.0 > kind-of@6.0.2 and 44 other path(s). This issue was fixed in versions: 6.0.3. See also: https://snyk.io/vuln/SNYK-JS-KINDOF-537849.
The **low-severity** #vuln-infoleak for `kind-of` appears to be resolved within the latest [[ https://github.com/stylelint/stylelint/releases/tag/13.1.0 | 13.1.0 release of stylelint ]]. The **medium-severity** prototype pollution vulnerability for `dot-prop` still exists with the aforementioned 13.1.0 release, so I've filed a security issue with them [[ https://github.com/stylelint/stylelint/security/policy | via github ]].
Lastly, would it be a good idea to set up a formal [[ https://github.com/wikimedia/stylelint-config-wikimedia/security/policy | security reporting policy for stylelint-config-wikimedia ]]? I believe github is the canonical repo location for this code, correct?