Problem/Motivation

Whilst trying to update yargs-parser to a safe version, we discovered in #15 and #16 that we won't be able to update the old version of yargs-parser depended on by stylelint-no-browser-hacks.

stylelint-no-browser-hacks hasn't been updated in 4 years, so there's no expectation it will be in the near future. It's de-facto abandoned.

It currently introduces these vulnerabilities:

$ yarn audit

Output snipped to only show stylelint-no-browser-hacks related vulnerabilities.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint-no-browser-hacks                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint-no-browser-hacks > stylelint > meow > yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1500                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ postcss                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.2.10                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint-no-browser-hacks                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint-no-browser-hacks > stylelint > postcss-less >      │
│               │ postcss                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1693                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ postcss                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.2.10                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint-no-browser-hacks                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint-no-browser-hacks > stylelint > postcss-safe-parser │
│               │ > postcss                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1693                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ postcss                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.2.10                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint-no-browser-hacks                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint-no-browser-hacks > stylelint > postcss-scss >      │
│               │ postcss                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1693                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ postcss                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.2.10                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint-no-browser-hacks                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint-no-browser-hacks > stylelint > sugarss > postcss   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1693                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ postcss                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.2.10                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint-no-browser-hacks                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint-no-browser-hacks > stylelint > postcss             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1693                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ postcss                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.2.10                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint-no-browser-hacks                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint-no-browser-hacks > stylelint > postcss-reporter >  │
│               │ postcss                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1693                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ postcss                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.2.10                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint-no-browser-hacks                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint-no-browser-hacks > stylelint > postcss-sass >      │
│               │ postcss                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1693                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Regular Expression Denial of Service in trim                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ trim                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.0.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint-no-browser-hacks                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint-no-browser-hacks > stylelint > postcss-markdown >  │
│               │ remark > remark-parse > trim                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1700                        │
└───────────────┴──────────────────────────────────────────────────────────────┘

Note: The postcss related vulnerabilities are not caused by stylelint-no-browser-hacks alone and will be handled in #3214351: [PP-1] [security] Update postcss and locked dev dependencies to address security issues.

However (especially) the "high"-rated Regular Expression Denial of Service in trim and "low"-rated Prototype Pollution in yargs-parser are solely caused by stylelint-no-browser-hacks.

Also it keeps us from moving postcss from to a save version (>=8.2.10), since it has a dependency on stylehacks:^2.3 which gives us postcss@5.2.18

$ npm ls postcss
Drupal@ /mnt/d/htdocs/drupal/core
├── postcss@7.0.35
[snipped for sanity]
├─┬ stylelint-no-browser-hacks@1.2.1
│ ├─┬ stylehacks@2.3.2
│ │ ├── postcss@5.2.18
│ │ └─┬ postcss-reporter@1.4.1
│ │   └── postcss@5.2.18
│ └─┬ stylelint@9.10.1
│   ├── postcss@7.0.35  deduped
│   ├─┬ postcss-reporter@6.0.1
│   │ └── postcss@7.0.35  deduped
│   └─┬ postcss-sass@0.3.5
│     └── postcss@7.0.35  deduped
[snipped for sanity]

Proposed resolution

Remove stylelint-no-browser-hacks.

Removing it and running yarn lint:css shows the same clean result before and after removing this.

Doing:

$ cp yarn.lock old.yarn.lock
$ yarn remove stylelint-no-browser-hacks
$ yarn-lock-diff -o old.yarn.lock -n yarn.lock

Produces the following output:

┌────────────────────────────┬─────────────────────────────┬─────────────────────┐
│package name                │ old version(s)              │new version(s)       │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│@mrmlnc/readdir-enhanced    │2.2.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│@nodelib/fs.stat            │[..., 2.0.4], 1.1.3          │[...], 2.0.4         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│@types/glob                 │7.1.3                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│@types/minimatch            │3.0.4                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│@types/vfile-message        │2.0.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│@types/vfile                │3.0.2                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│ansi-regex                  │[..., 5.0.0], 4.1.0, 3.0.0, 2.1.1│[...], 5.0.0, 4.1.0, 3.0.0│
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│ansi-styles                 │[..., 4.3.0], 3.2.1, 2.2.1   │[...], 4.3.0, 3.2.1  │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│arr-diff                    │4.0.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│arr-flatten                 │1.1.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│arr-union                   │3.1.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│array-find-index            │1.0.2                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│array-union                 │[..., 2.1.0], 1.0.2          │[...], 2.1.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│array-uniq                  │1.0.3                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│array-unique                │0.3.2                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│assign-symbols              │1.0.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│astral-regex                │[..., 2.0.0], 1.0.0          │[...], 2.0.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│atob                        │2.1.2                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│base                        │0.11.2                       │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│braces                      │[..., 3.0.2], 2.3.2          │[...], 3.0.2         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│browserslist                │[..., 4.16.6], 1.7.7         │[...], 4.16.6        │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│cache-base                  │1.0.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│call-me-maybe               │1.0.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│caller-callsite             │2.0.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│caller-path                 │2.0.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│callsites                   │[..., 3.1.0], 2.0.0          │[...], 3.1.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│camelcase-keys              │[..., 6.2.2], 4.2.0          │[...], 6.2.2         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│camelcase                   │[..., 5.3.1], 4.1.0          │[...], 5.3.1         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│caniuse-db                  │1.0.30001226                 │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│ccount                      │1.1.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│chalk                       │[..., 4.1.1], 3.0.0, 2.4.2, 1.1.3│[...], 4.1.1, 3.0.0, 2.4.2│
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│character-entities-html4    │1.1.4                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│class-utils                 │0.3.6                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│clone-regexp                │[..., 2.2.0], 1.0.1          │[...], 2.2.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│collapse-white-space        │1.0.6                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│collection-visit            │1.0.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│component-emitter           │1.3.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│copy-descriptor             │0.1.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│cosmiconfig                 │[..., 7.0.0], 5.2.1          │[...], 7.0.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│currently-unhandled         │0.4.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│decode-uri-component        │0.2.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│define-property             │0.2.5, 1.0.0, 2.0.2          │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│dir-glob                    │[..., 3.0.1], 2.2.2          │[...], 3.0.1         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│execall                     │[..., 2.0.0], 1.0.0          │[...], 2.0.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│expand-brackets             │2.1.4                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│extend-shallow              │2.0.1, 3.0.2                 │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│extglob                     │2.0.4                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│fast-glob                   │[..., 3.2.5], 2.2.7          │[...], 3.2.5         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│file-entry-cache            │[..., 6.0.1], 4.0.0          │[...], 6.0.1         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│fill-range                  │[..., 7.0.1], 4.0.0          │[...], 7.0.1         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│flat-cache                  │[..., 3.0.4], 2.0.1          │[...], 3.0.4         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│flatted                     │[..., 3.1.1], 2.0.2          │[...], 3.1.1         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│for-in                      │1.0.2                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│fragment-cache              │0.2.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│gather-stream               │1.0.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│get-value                   │2.0.6                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│glob-parent                 │[..., 5.1.2], 3.1.0          │[...], 5.1.2         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│glob-to-regexp              │0.3.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│globby                      │[..., 9.2.0]                 │[...]                │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│has-ansi                    │2.0.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│has-flag                    │[..., 4.0.0], 3.0.0, 1.0.0   │[...], 4.0.0, 3.0.0  │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│has-value                   │0.3.1, 1.0.0                 │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│has-values                  │0.1.4, 1.0.0                 │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│html-tags                   │[..., 3.1.0], 2.0.0          │[...], 3.1.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│import-fresh                │[..., 3.3.0], 2.0.0          │[...], 3.3.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│import-lazy                 │[..., 4.0.0], 3.1.0          │[...], 4.0.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│indent-string               │[..., 4.0.0], 3.2.0          │[...], 4.0.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│irregular-plurals           │1.4.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│is-accessor-descriptor      │0.1.6, 1.0.0                 │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│is-alphanumeric             │1.0.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│is-buffer                   │[..., 2.0.5], 1.1.6          │[...], 2.0.5         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│is-data-descriptor          │0.1.4, 1.0.0                 │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│is-descriptor               │0.1.6, 1.0.2                 │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│is-directory                │0.3.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│is-extendable               │0.1.1, 1.0.1                 │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│is-glob                     │[..., 4.0.1], 3.1.0          │[...], 4.0.1         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│is-number                   │[..., 7.0.0], 3.0.0          │[...], 7.0.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│is-regexp                   │[..., 2.1.0], 1.0.0          │[...], 2.1.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│is-supported-regexp-flag    │1.0.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│is-whitespace-character     │1.0.4                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│is-windows                  │1.0.2                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│is-word-character           │1.0.4                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│isarray                     │[..., 1.0.0]                 │[...]                │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│isobject                    │[..., 3.0.1], 2.1.0          │[...], 3.0.1         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│js-base64                   │2.6.4                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│kind-of                     │[..., 4.0.0], 3.2.2          │[...], 6.0.3         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│known-css-properties        │[..., 0.21.0], 0.11.0        │[...], 0.21.0        │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│leven                       │2.1.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│log-symbols                 │[..., 4.1.0], 3.0.0, 2.2.0, 1.0.2│[...], 4.1.0, 3.0.0, 2.2.0│
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│loud-rejection              │1.6.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│map-cache                   │0.2.2                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│map-obj                     │[..., 4.2.1], 2.0.0          │[...], 4.2.1         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│map-visit                   │1.0.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│markdown-escapes            │1.0.4                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│markdown-table              │1.1.3                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│mdast-util-compact          │1.0.4                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│meow                        │[..., 9.0.0], 5.0.0          │[...], 9.0.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│micromatch                  │[..., 4.0.4], 3.1.10         │[...], 4.0.4         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│minimist-options            │[..., 4.1.0], 3.0.2          │[...], 4.1.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│mixin-deep                  │1.3.2                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│nanomatch                   │1.2.13                       │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│object-copy                 │0.1.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│object-visit                │1.0.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│object.pick                 │1.3.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│parse-entities              │[..., 2.0.0], 1.2.2          │[...], 2.0.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│pascalcase                  │0.1.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│path-dirname                │1.0.2                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│plur                        │2.1.2                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│posix-character-classes     │0.1.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│postcss-jsx                 │0.36.4                       │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│postcss-markdown            │0.36.0                       │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│postcss-reporter            │1.4.1, 6.0.1                 │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│postcss-sass                │[..., 0.4.4], 0.3.5          │[...], 0.4.4         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│postcss-selector-parser     │[..., 5.0.0], 3.1.2, 2.2.3   │[...], 6.0.6, 5.0.0  │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│postcss                     │[..., 7.0.35], 5.2.18        │[...], 7.0.35        │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│quick-lru                   │[..., 4.0.1], 1.1.0          │[...], 4.0.1         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│read-file-stdin             │0.2.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│redent                      │[..., 3.0.0], 2.0.0          │[...], 3.0.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│regex-not                   │1.0.2                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│remark-parse                │[..., 9.0.0], 6.0.3          │[...], 9.0.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│remark-stringify            │[..., 9.0.1], 6.0.4          │[...], 9.0.1         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│remark                      │[..., 13.0.0], 10.0.1        │[...], 13.0.0        │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│repeat-element              │1.1.4                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│replace-ext                 │1.0.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│resolve-from                │[..., 5.0.0], 4.0.0, 3.0.0   │[...], 5.0.0, 4.0.0  │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│resolve-url                 │0.2.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│rimraf                      │[..., 3.0.2], 2.6.3          │[...], 3.0.2         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│safe-regex                  │1.1.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│set-value                   │2.0.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│slash                       │[..., 3.0.0], 2.0.0          │[...], 3.0.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│slice-ansi                  │[..., 4.0.0], 2.1.0          │[...], 4.0.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│snapdragon-node             │2.1.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│snapdragon-util             │3.0.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│snapdragon                  │0.8.2                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│source-map-resolve          │0.5.3                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│source-map-url              │0.4.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│split-string                │3.1.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│state-toggle                │1.0.3                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│static-extend               │0.1.2                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│stringify-entities          │1.3.2                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│strip-ansi                  │[..., 6.0.0], 5.2.0, 4.0.0, 3.0.1│[...], 6.0.0, 5.2.0, 4.0.0│
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│strip-indent                │[..., 3.0.0], 2.0.0          │[...], 3.0.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│stylehacks                  │2.3.2                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│stylelint-no-browser-hacks  │1.2.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│stylelint                   │[..., 9.10.1]                │[...]                │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│supports-color              │[..., 6.1.0], 6.0.0, 5.5.0, 3.2.3, 2.0.0│[...], 7.2.0, 6.1.0, 6.0.0, 5.5.0│
├────────────────────────────┼────────────────────────────────────────┼─────────────────────────────────┤
│table                       │[..., 6.7.1], 5.4.6          │[...], 6.7.1         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│to-object-path              │0.3.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│to-regex-range              │[..., 5.0.1], 2.1.1          │[...], 5.0.1         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│to-regex                    │3.0.2                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│trim-newlines               │[..., 3.0.0], 2.0.0          │[...], 3.0.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│trim-trailing-lines         │1.1.4                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│trim                        │0.0.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│unherit                     │1.1.3                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│unified                     │[..., 9.2.1], 7.1.0          │[...], 9.2.1         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│union-value                 │1.0.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│unist-util-find-all-after   │[..., 3.0.2], 1.0.5          │[...], 3.0.2         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│unist-util-is               │[..., 4.1.0], 3.0.0          │[...], 4.1.0         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│unist-util-remove-position  │1.1.4                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│unist-util-stringify-positi…│[..., 2.0.3], 1.1.2          │[...], 2.0.3         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│unist-util-visit-parents    │2.1.2                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│unist-util-visit            │1.4.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│unset-value                 │1.0.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│urix                        │0.1.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│use                         │3.1.1                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│vfile-location              │2.0.6                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│vfile-message               │[..., 2.0.4], 1.1.1          │[...], 2.0.4         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│vfile                       │[..., 4.2.1], 3.0.1          │[...], 4.2.1         │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│write-file-stdout           │0.0.2                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│write                       │1.0.3                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│x-is-string                 │0.1.0                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│xtend                       │4.0.2                        │-                    │
├────────────────────────────┼─────────────────────────────┼─────────────────────┤
│yargs-parser                │[..., 20.2.7], 13.1.2, 10.1.0│[...], 20.2.7, 13.1.2│
└────────────────────────────┴─────────────────────────────┴─────────────────────┘

As can be seen it massively reduces the amount of (mostly very old) dependencies.

TLDR:(Well, you made it until here...)

Why do you wanna get rid of stylelint-no-browser-hacks so badly, dude?

  • stylelint-no-browser-hacks is de facto abandoned.
  • stylelint-no-browser-hacks currently introduces 2 (1 high, 1 low) vulnerabilities
  • Removing stylelint-no-browser-hacks and running yarn lint:css shows the same clean result before and after removing this.
  • It is (one of the packages) preventing us to move to a safe version of postcss.

Questions

Are there css browser-hacks that we want to preserve in core?
Is there another way to check for any to verify this is safe to remove?

Original IS from this issue, that was previously titled: Update yargs-parser to a safe version

Problem/Motivation

We're updating libraries that have released security releases on #3118741: [Security] Update yarn dependencies to fix security issues. The only remaining package to update was yargs-parser which is included in the dependency tree because of stylelint-no-browser-hacks.

Proposed resolution

Update stylelint-no-browser-hacks so that we can update to a safe version of yargs.

CommentFileSizeAuthor
#16 3144854-16.patch118.96 KBzrpnr
#6 3144854-6.patch84.16 KBmherchel
#3 3144854-3.patch178.87 KBkomalk

Issue fork drupal-3144854

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

lauriii created an issue. See original summary.

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
commented
Title: Update yargs to a safe version » Update yargs-parser to a safe version
Issue summary: View changes
komalk’s picture

komalk commented
Status: Active » Needs review
StatusFileSize
new 3144854-3.patch178.87 KB

I tried to use yarn upgrade-interactive to do a minimal upgrade to fix the warnings from yarn audit it is not possible.

yarn upgrade
yarn build
yarn lint:core-js-passing --fix
yarn lint:css

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

mherchel’s picture

mherchel
he/him
Primary language English
Location Gainesville, FL, US
commented
Status: Needs review » Needs work

According to CI, prev patch does not apply.

mherchel’s picture

mherchel
he/him
Primary language English
Location Gainesville, FL, US
commented
Status: Needs work » Needs review
StatusFileSize
new 3144854-6.patch84.16 KB

Not sure if I did this correctly.

It looked to me like there were a number of stylelint plugins that depended on yarg-parser, so I did a yarn upgrade --pattern stylelint, which upgrades all of the stylelint plugins. I then verified that yarn lint:css still works as expected.

I also verified that the yarn.lock file says that yarg-parser was upgraded to the latest version (20.2.7)

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

kristen pol’s picture

kristen pol
she/her
Primary language English
Location Santa Cruz, CA, USA
commented

Thanks for the patch.

Applied it to 9.2 and it updated core/yarn.lock as expected. Then ran composer update and these were updated:

	modified:   composer.lock
	modified:   composer/Metapackage/CoreRecommended/composer.json
	modified:   composer/Metapackage/PinnedDevDependencies/composer.json

I see the yargs-parser was updated from ^18.1.3 to:

+yargs-parser@^20.2.3:
+  version "20.2.7"
+  resolved "https://registry.yarnpkg.com/yargs-parser/-/yargs-parser-20.2.7.tgz#61df85c113edfb5a7a4e36eb8aa60ef423cbc90a"

I'm unclear why it's specified as ^20.2.3 when it's using 20.2.7.

And, I'm not sure how to get yarn lint:css to work as I get errors:

KristenBackupMBP:core admin$ yarn lint:css
yarn run v1.22.10
$ stylelint "**/*.css"
Error: Could not find "stylelint-no-browser-hacks/lib". Do you need a `configBasedir`?
    at module.exports (/Users/admin/Sites/drupal/drupal9/drupal-9.2.x-dev/core/node_modules/stylelint/lib/utils/configurationError.js:10:14)
    at getModulePath (/Users/admin/Sites/drupal/drupal9/drupal-9.2.x-dev/core/node_modules/stylelint/lib/utils/getModulePath.js:27:9)
    at /Users/admin/Sites/drupal/drupal9/drupal-9.2.x-dev/core/node_modules/stylelint/lib/augmentConfig.js:123:11
    at Array.map (<anonymous>)
    at absolutizePaths (/Users/admin/Sites/drupal/drupal9/drupal-9.2.x-dev/core/node_modules/stylelint/lib/augmentConfig.js:122:72)
    at /Users/admin/Sites/drupal/drupal9/drupal-9.2.x-dev/core/node_modules/stylelint/lib/augmentConfig.js:39:11
    at async run (/Users/admin/Sites/drupal/drupal9/drupal-9.2.x-dev/core/node_modules/cosmiconfig/dist/Explorer.js:42:31)
    at async cacheWrapper (/Users/admin/Sites/drupal/drupal9/drupal-9.2.x-dev/core/node_modules/cosmiconfig/dist/cacheWrapper.js:16:18)
    at async cacheWrapper (/Users/admin/Sites/drupal/drupal9/drupal-9.2.x-dev/core/node_modules/cosmiconfig/dist/cacheWrapper.js:16:18)
    at async Explorer.search (/Users/admin/Sites/drupal/drupal9/drupal-9.2.x-dev/core/node_modules/cosmiconfig/dist/Explorer.js:27:20)
error Command failed with exit code 78.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

Also, note the yarn audit results from the nightwatch issue in case they are relevant:

#3211810: [security] Update Nightwatch and locked dev dependencies to address security issues

spokje’s picture

spokje
Primary language Dutch
commented

@Kristen Pol

For me the patch works.

I'm unclear why it's specified as ^20.2.3 when it's using 20.2.7.

I would say newer is better?

Then ran composer update and these were updated:

Not sure this step is needed.

And, I'm not sure how to get yarn lint:css to work as I get errors:

Both with and without the composer update step I get:

/mnt/d/htdocs/drupal/core$ yarn lint:css
yarn run v1.22.10
$ stylelint "**/*.css"
Done in 36.43s.
spokje’s picture

spokje
Primary language Dutch
commented

Having said that..

frank@LAPTOP-EMEOAUGS:/mnt/d/htdocs/drupal/core$ yarn audit
yarn audit v1.22.10
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ netmask npm package vulnerable to octal input data           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ netmask                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nightwatch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nightwatch > proxy-agent > pac-proxy-agent > pac-resolver >  │
│               │ netmask                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1658                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ y18n                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.5||>=4.0.1 <5.0.0||>=3.2.2 <4.0.0                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nightwatch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nightwatch > mocha > yargs > y18n                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1654                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ y18n                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.5||>=4.0.1 <5.0.0||>=3.2.2 <4.0.0                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nightwatch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nightwatch > mocha > yargs-unparser > yargs > y18n           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1654                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint-no-browser-hacks                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint-no-browser-hacks > stylelint > meow > yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1500                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
4 vulnerabilities found - Packages audited: 1166
Severity: 1 Low | 3 High
Done in 1.62s.

yarn audit still gives a vulnerability on yargs-parse

Looks like nightwatch still needs vulnerable version yargs-parser@13.1.2

frank@LAPTOP-EMEOAUGS:/mnt/d/htdocs/drupal/core$ yarn why yargs-parser
yarn why v1.22.10
[1/4] Why do we have the module "yargs-parser"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "yargs-parser@13.1.2"
info Has been hoisted to "yargs-parser"
info Reasons this module exists
   - Hoisted from "nightwatch#mocha#yargs-parser"
   - Hoisted from "nightwatch#mocha#yargs#yargs-parser"
info Disk size without dependencies: "67.5KB"
info Disk size with unique dependencies: "77KB"
info Disk size with transitive dependencies: "77KB"
info Number of shared dependencies: 2
=> Found "meow#yargs-parser@20.2.7"
info This module exists because "stylelint#meow" depends on it.
info Disk size without dependencies: "122KB"
info Disk size with unique dependencies: "122KB"
info Disk size with transitive dependencies: "122KB"
info Number of shared dependencies: 0
=> Found "stylelint-no-browser-hacks#yargs-parser@10.1.0"
info Reasons this module exists
   - "stylelint-no-browser-hacks#stylelint#meow" depends on it
   - Hoisted from "stylelint-no-browser-hacks#stylelint#meow#yargs-parser"
info Disk size without dependencies: "49KB"
info Disk size with unique dependencies: "54.5KB"
info Disk size with transitive dependencies: "54.5KB"
info Number of shared dependencies: 1
Done in 0.60s.

So I _think_ this might need to be solved in one go in #3211810: [security] Update Nightwatch and locked dev dependencies to address security issues?

kristen pol’s picture

kristen pol
she/her
Primary language English
Location Santa Cruz, CA, USA
commented

Thanks. I must have not done all the steps before. If I do:

yarn install --force
yarn upgrade
yarn build

first then I get:

KristenBackupMBP:core admin$ yarn lint:css 
yarn run v1.22.10
$ stylelint "**/*.css"
✨  Done in 14.41s.

and 

KristenBackupMBP:core admin$ yarn audit
yarn audit v1.22.10
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint-no-browser-hacks                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint-no-browser-hacks > stylelint > meow > yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1500                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 1139
Severity: 1 Low
✨  Done in 1.60s.
kristen pol’s picture

kristen pol
she/her
Primary language English
Location Santa Cruz, CA, USA
commented
Status: Needs review » Needs work

@xjm wanted to keep yargs-parser separated out from nightwatch, so leaving this issue open, but moving it back to needs work based on #10 and #11.

kristen pol’s picture

kristen pol
she/her
Primary language English
Location Santa Cruz, CA, USA
commented

#3211810: [security] Update Nightwatch and locked dev dependencies to address security issues has bee fixed so this patch needs updating.

spokje’s picture

spokje
Primary language Dutch
commented
Assigned: Unassigned » spokje

Used 3144854-6.patch as base for the freshly opened MR.

spokje’s picture

spokje
Primary language Dutch
commented
Assigned: spokje » Unassigned

Ok, this was...well...interesting.

As far as I can tell, we're never going to get rid of this (low) vulnerability, unless stylelint-no-browser-hacks will update its dependency on the version of stylelint it is using.

Seeing that stylelint-no-browser-hacks hasn't been updated in 4 years, that might not happen.

So here's what's going on:

  • core/package.json requires "stylelint-no-browser-hacks": "^1.2.1" as a devDependency
  • stylelint-no-browser-hacks requires "stylelint": "^9.1" as a Dependency (See here)
  • The highest available stylelint with that constraint is 9.10.1 and this requires "meow": "^5.0.0" as a Dependency (See here)
  • The highest available meow with that constraint is v5.0.0 and this requires "yargs-parser": "^10.0.0" as a Dependency (See here)

Version 10.0.0 of yargs-parser isn't in the patched version list:

│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

If I remove "stylelint-no-browser-hacks": "^1.2.1" from core/package.json and run yarn install && yarn audit no vulnerabilities are found.

So it looks like we have to either life with the vulnerability or drop using stylelint-no-browser-hacks.

Since it's only used as a devDependency for CSS linting and is not meant (and probably never used) to run on any Live site, I think the risk is very, very low.

zrpnr’s picture

zrpnr
he/him
Primary language English
Location UTC-7
commented
Status: Needs work » Needs review
StatusFileSize
new 3144854-16.patch118.96 KB

The patch in #6 didn't apply against 9.3.x, but it also seems like it's got a lot of unrelated changes.
When I run yarn upgrade --pattern stylelint it doesn't make a diff for yarn.lock at all.

Maybe most of the changes in #6 were updated in #3211810: [security] Update Nightwatch and locked dev dependencies to address security issues which landed later.

Running yarn upgrade is going to update all the dependencies, which is already in progress in #3210633: Update JavaScript dependencies for Drupal 9.2

That also won't be able to update the old version of yargs-parser depended on by stylelint-no-browser-hacks pointed out in #15

└─┬ stylelint-no-browser-hacks@1.2.1
  └─┬ stylelint@9.10.1
    └─┬ meow@5.0.0
      └── yargs-parser@10.1.0
So it looks like we have to either life with the vulnerability or drop using stylelint-no-browser-hacks.

I agree with @Spokje, we should consider dropping stylelint-no-browser-hacks, then core will only have safe versions of yargs-parser.
We already have the updated version(s) of yargs-parser through nightwatch and stylelint.

Drupal
├─┬ nightwatch@1.6.3
│ └─┬ mocha@6.2.3
│   ├─┬ yargs@13.3.2
│   │ └── yargs-parser@13.1.2  deduped
│   └── yargs-parser@13.1.2
└─┬ stylelint@13.13.1
  └─┬ meow@9.0.0
    └── yargs-parser@20.2.7

Seems like stylelint-no-browser-hacks is relatively abandoned and the stylehacks it uses is not on github anymore. I tried removing it with yarn remove stylelint-no-browser-hacks and deleted references to it in .stylelintrc.json. Running yarn lint:css showed the same clean result before and after removing this.
The errors in #8 were because .stylelintrc.json still referenced this package.

Are there css browser-hacks that we want to preserve in core? Is there another way to check for any to verify this is safe to remove?

Removing this package cleans up yarn.lock a lot, removing many outdated and duplicate versions of packages we already have.
Currently yarn audit shows a vulnerability in trim as well, which is also a dependency of stylelint-no-browser-hacks, one more good reason to remove it. See: https://www.npmjs.com/advisories/1700

stylelint-no-browser-hacks@1.2.1
  └─┬ stylelint@9.10.1
    └─┬ postcss-markdown@0.36.0
      └─┬ remark@10.0.1
        └─┬ remark-parse@6.0.3
          └── trim@0.0.1

This patch was created by running yarn remove stylelint-no-browser-hacks and removing all references to it in core.

spokje’s picture

spokje
Primary language Dutch
commented
Assigned: Unassigned » spokje
Status: Needs review » Needs work

Working on a reroll that's needed after the committing of #3210633: Update JavaScript dependencies for Drupal 9.2.

Spokje opened merge request !679

spokje’s picture

spokje
Primary language Dutch
commented
Title: Update yargs-parser to a safe version » Remove stylelint-no-browser-hacks
Issue summary: View changes
spokje’s picture

spokje
Primary language Dutch
commented
Issue summary: View changes
spokje’s picture

spokje
Primary language Dutch
commented
Issue summary: View changes
spokje’s picture

spokje
Primary language Dutch
commented
Issue summary: View changes
spokje’s picture

spokje
Primary language Dutch
commented
Assigned: spokje » Unassigned
Status: Needs work » Needs review

Setting to NR to get more eyes on this.

Spokje opened merge request !681

Spokje closed merge request !681

spokje’s picture

spokje
Primary language Dutch
commented
Issue summary: View changes
spokje’s picture

spokje
Primary language Dutch
commented
Related issues: +#3214351: [PP-1] [security] Update postcss and locked dev dependencies to address security issues
spokje’s picture

spokje
Primary language Dutch
commented
Issue summary: View changes
zrpnr’s picture

zrpnr
he/him
Primary language English
Location UTC-7
commented

I don't think I can RTBC this, since it's a reroll of my patch in #16 but I can confirm that the @Spokje MR 679 that's currently open looks good.

Running yarn remove stylelint-no-browser-hacks and then removing the usages in

  • core/modules/system/tests/modules/layout_test/templates/layout-test-2col.html.twig
  • core/.stylelintrc.json

gave me the same result as MR 679

bnjmnm made their first commit to this issue’s fork.

bnjmnm’s picture

bnjmnm
he/him
Primary language English
Location Ann Arbor, MI
commented
Status: Needs review » Reviewed & tested by the community

I rebased the MR but made no additional changes. I confirmed all no-browser-hacks usage/mentions are removed, and pleased to see how cleaned-up yarn.lock is. I also ran an audit and confirmed everything would be addressed by #3214351: [PP-1] [security] Update postcss and locked dev dependencies to address security issues (which is blocked by this issue).

The worst-case scenario of this being removed (some browser hack css) is far preferable to having an unmaintained yarn-clogging dependency.

spokje’s picture

spokje
Primary language Dutch
commented

Yay @bnjmnm!

The worst-case scenario of this being removed (some browser hack css) is far preferable to having an unmaintained yarn-clogging dependency.

  • lauriii committed 8dbd33a on 9.3.x 
    Issue #3144854 by Spokje, bnjmnm, mherchel, zrpnr, komalk, Kristen Pol:...

  • lauriii committed 29dde48 on 9.2.x 
    Issue #3144854 by Spokje, bnjmnm, mherchel, zrpnr, komalk, Kristen Pol:...
lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
commented
Version: 9.3.x-dev » 9.2.x-dev
Status: Reviewed & tested by the community » Fixed

Committed 8dbd33a and pushed to 9.3.x and 9.2.x. Thanks!

Spokje closed merge request !679

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.