Skip to content

chore(deps-dev): bump stylelint from 15.11.0 to 17.1.0#2672

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/stylelint-17.1.0
Open

chore(deps-dev): bump stylelint from 15.11.0 to 17.1.0#2672
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/stylelint-17.1.0

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 1, 2026
edited by cursor bot
Loading

Bumps stylelint from 15.11.0 to 17.1.0.

Release notes

Sourced from stylelint's releases.

17.1.0

It fixes 5 bugs and adds the display-notation rule. Before we turn it on in our standard config, we'd like to hear the community's thoughts on which options to use.

17.0.0

It contains 14 breaking changes, which we've detailed in the migrating to 17.0.0 guide. Additionally, it adds 3 options to the rules and fixes 9 bugs. We've also released compatible versions of our shared config, Visual Studio Code extension, Node.js Rule Tester and Jest preset.

  • Removed: CommonJS Node.js API (#8859) (@​jeddy3).
  • Removed: output property in the Node.js API returned resolved object (#8878) (@​jeddy3).
  • Removed: support for Node.js less than 20.19.0 (#8867) (@​jeddy3).
  • Removed: GitHub formatter (#8888) (@​jeddy3).
  • Removed: resolveNestedSelectors option from selector-class-pattern (#8931) (@​jeddy3).
  • Removed: checkContextFunctionalPseudoClasses option from selector-max-id (#8913) (@​jeddy3).
  • Changed: default fix mode to strict (#8889) (@​jeddy3).
  • Changed: report to be consistent and predictable in how it handles the provided position arguments (#8217) (@​romainmenke).
  • Changed: selector-max-* syntax rules for standard CSS nesting and modern functional pseudo-classes (#8913) (@​jeddy3).
  • Changed: *-specificity semantic rules for standard CSS nesting (#8913) (@​jeddy3).
  • Changed: no-duplicate-selectors and selector-no-qualifying-type for standard CSS nesting (#8913) (@​jeddy3).
  • Changed: *-list rules to have consistent behaviour for vendor prefixes and case (#8912) (@​jeddy3).
  • Changed: *-no-vendor-prefix rules to have consistent behaviour for their ignore*: [] secondary options (#8924) (@​jeddy3).
  • Changed: declaration-property-max-values rule to have consistent behaviour for vendor prefixes (#8926) (@​jeddy3).
  • Added: except: ["after-block"] to custom-property-empty-line-before (#8921) (@​kovsu).
  • Added: except: ["after-block"] to declaration-empty-line-before (#8910) (@​kovsu).
  • Added: ignoreSelectors: [] to no-duplicate-selectors (#8883) (@​kovsu).
  • Fixed: Windows drive letter casing inconsistencies when matching patterns against file paths (#8941) (@​adalinesimonian).
  • Fixed: CLI help to include TypeScript config files (#8908) (@​kovsu).
  • Fixed: at-rule-descriptor-no-unknown false positives for declarations within feature-value-blocks (#8868) (@​kovsu).
  • Fixed: declaration-block-no-redundant-longhand-properties false negatives for short and long combinations (#8892) (@​nathannewyen).
  • Fixed: media-feature-name-no-unknown false positives for namespaced dollar variables and range context queries (#8890) (@​kovsu).
  • Fixed: nesting-selector-no-missing-scoping-root false positives for CSS-in-JS (#8905) (@​kovsu).
  • Fixed: no-invalid-position-declaration false negatives for embedded blocks (#8907) (@​kovsu).
  • Fixed: selector-no-qualifying-type false negatives for :is/where() (#8940) (@​romainmenke).
  • Fixed: selector-type-no-unknown false positives for MathML 4 tags (#8874) (@​jeddy3).

16.26.1

It fixes numerous false positive bugs, including many in the declaration-property-value-no-unknown rule for the latest CSS specifications.

  • Fixed: *-no-unknown false positives for latest specs by integrating @csstools/css-syntax-patches-for-csstree (#8850) (@​romainmenke).
  • Fixed: at-rule-no-unknown false positives for @function (#8851) (@​jeddy3).
  • Fixed: declaration-property-value-no-unknown false positives for attr(), if() and custom functions (#8853) (@​jeddy3).
  • Fixed: function-url-quotes false positives when URLs require quoting (#8804) (@​taearls).
  • Fixed: selector-pseudo-element-no-unknown false positives for ::scroll-button() (#8856) (@​Mouvedia).

16.26.0

... (truncated)

Changelog

Sourced from stylelint's changelog.

17.1.0 - 2026-01-30

It fixes 5 bugs and adds the display-notation rule. Before we turn it on in our standard config, we'd like to hear the community's thoughts on which options to use.

17.0.0 - 2026-01-15

It contains 14 breaking changes, which we've detailed in the migrating to 17.0.0 guide. Additionally, it adds 3 options to the rules and fixes 9 bugs. We've also released compatible versions of our shared config, Visual Studio Code extension, Node.js Rule Tester and Jest preset.

  • Removed: CommonJS Node.js API (#8859) (@​jeddy3).
  • Removed: output property in the Node.js API returned resolved object (#8878) (@​jeddy3).
  • Removed: support for Node.js less than 20.19.0 (#8867) (@​jeddy3).
  • Removed: GitHub formatter (#8888) (@​jeddy3).
  • Removed: resolveNestedSelectors option from selector-class-pattern (#8931) (@​jeddy3).
  • Removed: checkContextFunctionalPseudoClasses option from selector-max-id (#8913) (@​jeddy3).
  • Changed: default fix mode to strict (#8889) (@​jeddy3).
  • Changed: report to be consistent and predictable in how it handles the provided position arguments (#8217) (@​romainmenke).
  • Changed: selector-max-* syntax rules for standard CSS nesting and modern functional pseudo-classes (#8913) (@​jeddy3).
  • Changed: *-specificity semantic rules for standard CSS nesting (#8913) (@​jeddy3).
  • Changed: no-duplicate-selectors and selector-no-qualifying-type for standard CSS nesting (#8913) (@​jeddy3).
  • Changed: *-list rules to have consistent behaviour for vendor prefixes and case (#8912) (@​jeddy3).
  • Changed: *-no-vendor-prefix rules to have consistent behaviour for their ignore*: [] secondary options (#8924) (@​jeddy3).
  • Changed: declaration-property-max-values rule to have consistent behaviour for vendor prefixes (#8926) (@​jeddy3).
  • Added: except: ["after-block"] to custom-property-empty-line-before (#8921) (@​kovsu).
  • Added: except: ["after-block"] to declaration-empty-line-before (#8910) (@​kovsu).
  • Added: ignoreSelectors: [] to no-duplicate-selectors (#8883) (@​kovsu).
  • Fixed: Windows drive letter casing inconsistencies when matching patterns against file paths (#8941) (@​adalinesimonian).
  • Fixed: CLI help to include TypeScript config files (#8908) (@​kovsu).
  • Fixed: at-rule-descriptor-no-unknown false positives for declarations within feature-value-blocks (#8868) (@​kovsu).
  • Fixed: declaration-block-no-redundant-longhand-properties false negatives for short and long combinations (#8892) (@​nathannewyen).
  • Fixed: media-feature-name-no-unknown false positives for namespaced dollar variables and range context queries (#8890) (@​kovsu).
  • Fixed: nesting-selector-no-missing-scoping-root false positives for CSS-in-JS (#8905) (@​kovsu).
  • Fixed: no-invalid-position-declaration false negatives for embedded blocks (#8907) (@​kovsu).
  • Fixed: selector-no-qualifying-type false negatives for :is/where() (#8940) (@​romainmenke).
  • Fixed: selector-type-no-unknown false positives for MathML 4 tags (#8874) (@​jeddy3).

16.26.1 - 2025-11-28

It fixes numerous false positive bugs, including many in the declaration-property-value-no-unknown rule for the latest CSS specifications.

  • Fixed: *-no-unknown false positives for latest specs by integrating @csstools/css-syntax-patches-for-csstree (#8850) (@​romainmenke).
  • Fixed: at-rule-no-unknown false positives for @function (#8851) (@​jeddy3).
  • Fixed: declaration-property-value-no-unknown false positives for attr(), if() and custom functions (#8853) (@​jeddy3).
  • Fixed: function-url-quotes false positives when URLs require quoting (#8804) (@​taearls).

... (truncated)

Commits
  • 48f6372 Release 17.1.0 (#9007)
  • 5bed108 Fix selector-type-no-unknown false positives for geolocation and `usermed...
  • 7b0b6f7 Revert "Fix resolution of configs, plugins, processors, and custom syntaxes i...
  • 9b30fbd Remove display-notation secondary options while the specification is in flu...
  • 17ebd25 Fix resolution of configs, plugins, processors, and custom syntaxes in Yarn P...
  • 590df52 Bump prettier from 3.8.0 to 3.8.1 (#9002)
  • d101b15 Remove ignoring ESLint major updates in Dependabot config (#9000)
  • 0d9df2f Add display-notation rule (#8981)
  • 5721667 Turn off skipLibCheck TypeScript configuration option (#8999)
  • 79cf2cf Fix GlobbyOptions TypeScript errors (#8992)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for stylelint since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Medium Risk
Primarily a dev-only dependency update, but it’s a major stylelint upgrade with many transitive changes that may affect lint:style behavior and Node version compatibility.

Overview
Updates dev tooling by bumping stylelint from v15 to v17 (and fixing the stray trailing space in the version), refreshing package-lock.json to the new dependency tree.

The lockfile reflects major transitive dependency churn (notably updates to PostCSS/CSS parsing utilities, globby, meow, flat-cache, etc.) and drops some older CLI helper deps that are no longer needed by stylelint v17.

Written by Cursor Bugbot for commit faa1fbc. This will update automatically on new commits. Configure here.

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Feb 1, 2026

Assignees

The following users could not be added as assignees: protocol-galileo. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 1, 2026
@dependabot dependabot bot requested review from a team as code owners February 1, 2026 04:15
@dependabot dependabot bot added the javascript Pull requests that update javascript code label Feb 1, 2026
@dependabot dependabot bot requested review from a team as code owners February 1, 2026 04:15
@vercel
Copy link

vercel bot commented Feb 1, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
metamask-docs Error Error Feb 10, 2026 9:41pm

Request Review

cursor[bot]
cursor bot reviewed Feb 1, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

package.json Outdated
"eslint": "^9.35.0",
"eslint-plugin-react": "^7.37.5",
"stylelint": "^15.0.0 ",
"stylelint": "^17.1.0",
Copy link

@cursor cursor bot Feb 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Incompatible peer dependency version for stylelint-config-standard

High Severity

The stylelint dependency is being upgraded from 15.x to 17.1.0, but stylelint-config-standard remains at version ^34.0.0, which has a peer dependency requirement of stylelint: "^15.10.0". This creates a peer dependency conflict since stylelint 17.x is not compatible with stylelint-config-standard 34.x. The release notes mention compatible shared configs were released alongside stylelint 17, indicating stylelint-config-standard needs to be upgraded (likely to version 37.x or higher) to work with stylelint 17.

Additional Locations (1)

Fix in Cursor Fix in Web

@socket-security
Copy link

socket-security bot commented Feb 1, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedstylelint@​15.11.0 ⏵ 17.2.098 +110010097 +1100

View full report

@socket-security
Copy link

socket-security bot commented Feb 1, 2026
edited
Loading

Caution

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Block Medium
Network access: npm cacheable in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: package-lock.jsonnpm/stylelint@17.2.0npm/cacheable@2.3.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cacheable@2.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm meow in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: package-lock.jsonnpm/stylelint@17.2.0npm/meow@14.0.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/meow@14.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm cosmiconfig is 100.0% likely to have a medium risk anomaly

Notes: The code implements dynamic TypeScript compilation and execution of transpiled code, which carries inherent risk if inputs can be influenced by untrusted sources. No evidence of malware or persistence; risk stems from runtime code execution and path handling. To improve security, enforce strict validation of file paths and input sources, sandbox or isolate dynamic loads, and consider alternative approaches (e.g., using a separate worker or VM) to limit impact of misbehavior.

Confidence: 1.00

Severity: 0.60

From: package-lock.jsonnpm/stylelint@17.2.0npm/cosmiconfig@9.0.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cosmiconfig@9.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm css-tree is 100.0% likely to have a medium risk anomaly

Notes: The code is a standard, well-scoped parser fragment for a DSL-like FeatureFunction construct. It uses dynamic feature dispatch with proper balance checks and safe fallbacks, and emits a consistent AST node. No malicious behavior detected; the main risks relate to misconfiguration of the features map rather than code-level exploits.

Confidence: 1.00

Severity: 0.60

From: package-lock.jsonnpm/stylelint@17.2.0npm/css-tree@3.1.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/css-tree@3.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm ignore is 100.0% likely to have a medium risk anomaly

Notes: The code fragment represents a conventional, well-structured path-ignore utility with caching and recursive parent-directory evaluation. Windows path normalization is present for compatibility but does not indicate malicious intent. No indicators of data leakage, external communication, or covert backdoors were found. Security impact primarily revolves around correct ignore semantics rather than intrinsic vulnerabilities. The component remains appropriate for use in a broader security-conscious pipeline if used with careful awareness of what is being ignored.

Confidence: 1.00

Severity: 0.60

From: package-lock.jsonnpm/stylelint@17.2.0npm/ignore@7.0.5

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ignore@7.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/stylelint-17.1.0 branch from cba4890 to d4e7620 Compare February 6, 2026 07:24
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/stylelint-17.1.0 branch from d4e7620 to be8a248 Compare February 10, 2026 00:25
@dependabot
chore(deps-dev): bump stylelint from 15.11.0 to 17.1.0
faa1fbc 
Bumps [stylelint](https://github.com/stylelint/stylelint) from 15.11.0 to 17.1.0.
- [Release notes](https://github.com/stylelint/stylelint/releases)
- [Changelog](https://github.com/stylelint/stylelint/blob/main/CHANGELOG.md)
- [Commits](stylelint/stylelint@15.11.0...17.1.0)

---
updated-dependencies:
- dependency-name: stylelint
  dependency-version: 17.1.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/stylelint-17.1.0 branch from be8a248 to faa1fbc Compare February 10, 2026 21:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants