@stoplight/ui-kit 3.0.0 → 3.0.2

package/README.md

@@ -3,7 +3,9 @@
 [![Maintainability](https://api.codeclimate.com/v1/badges/f0df5b38120a6471be33/maintainability)](https://codeclimate.com/repos/5bdb489c9a98842d0a00d211/maintainability)
 [![Test Coverage](https://api.codeclimate.com/v1/badges/f0df5b38120a6471be33/test_coverage)](https://codeclimate.com/repos/5bdb489c9a98842d0a00d211/test_coverage)
 
-> ⚠️ **Stable Release (v3.0.0)**: This is the stable version with critical security vulnerability fixes. All critical vulnerabilities have been patched. It is recommended to upgrade to this version for production use.
+> **Stable Release (v3.0.2)**: This is the stable version with critical security vulnerability fixes. All critical
+> vulnerabilities have been patched. It is recommended to upgrade to this version for production use.
+> Resolved pritter and lint issue and tested yarn test and yarn test.prod
 
 Stoplight UI-Kit is a shared component library that contains basic components built using
 [Blueprint](https://blueprintjs.com/docs/), [Tailwind](https://next.tailwindcss.com/), and
@@ -161,8 +163,10 @@ This stable release addresses **all critical vulnerabilities** identified in the
 - ✅ Template injection (ejs)
 - ✅ AST type confusion (handlebars, @babel/traverse)
 
-All transitive dependencies have been patched to their latest secure versions while maintaining backward compatibility with the package API.
+All transitive dependencies have been patched to their latest secure versions while maintaining backward compatibility
+with the package API.
 
-**Recommendation**: Upgrade to this version for production deployments to ensure all critical security patches are applied.
+**Recommendation**: Upgrade to this version for production deployments to ensure all critical security patches are
+applied.
 
 For more details, see the [Security Release Notes](https://github.com/stoplightio/ui-kit/releases/tag/v3.0.0).

package/dist/README.md

@@ -3,6 +3,8 @@
 [![Maintainability](https://api.codeclimate.com/v1/badges/f0df5b38120a6471be33/maintainability)](https://codeclimate.com/repos/5bdb489c9a98842d0a00d211/maintainability)
 [![Test Coverage](https://api.codeclimate.com/v1/badges/f0df5b38120a6471be33/test_coverage)](https://codeclimate.com/repos/5bdb489c9a98842d0a00d211/test_coverage)
 
+> ⚠️ **Stable Release (v3.0.0)**: This is the stable version with critical security vulnerability fixes. All critical vulnerabilities have been patched. It is recommended to upgrade to this version for production use.
+
 Stoplight UI-Kit is a shared component library that contains basic components built using
 [Blueprint](https://blueprintjs.com/docs/), [Tailwind](https://next.tailwindcss.com/), and
 [SCSS](https://sass-lang.com/guide) All custom components should support overridable theming from a theme object, and
@@ -144,3 +146,23 @@ $sl-config: (
 
 @import '~@stoplight/ui-kit/src/styles/ui-kit';
 ```
+
+## 🔒 Security
+
+**Version 3.0.0 includes critical security vulnerability fixes:**
+
+This stable release addresses **all critical vulnerabilities** identified in the dependency tree, including:
+
+- ✅ Command injection vulnerabilities (shell-quote, minimist)
+- ✅ Prototype pollution attacks (qs, js-yaml, merge-deep, handlebars, etc.)
+- ✅ Regular expression denial of service (semver, cross-spawn)
+- ✅ Cryptographic vulnerabilities (pbkdf2, sha.js, cipher-base, elliptic)
+- ✅ Authorization bypass (url-parse)
+- ✅ Template injection (ejs)
+- ✅ AST type confusion (handlebars, @babel/traverse)
+
+All transitive dependencies have been patched to their latest secure versions while maintaining backward compatibility with the package API.
+
+**Recommendation**: Upgrade to this version for production deployments to ensure all critical security patches are applied.
+
+For more details, see the [Security Release Notes](https://github.com/stoplightio/ui-kit/releases/tag/v3.0.0).

package/dist/package.json

@@ -1,11 +1,13 @@
 {
   "name": "@stoplight/ui-kit",
-  "version": "0.0.0",
-  "description": "Foundational React components for the Stoplight ecosystem.",
+  "version": "3.0.0",
+  "description": "Foundational React components for the Stoplight ecosystem. Stable version with all critical security vulnerabilities patched.",
   "keywords": [
     "react",
     "ui",
-    "ui-components"
+    "ui-components",
+    "secure",
+    "stable"
   ],
   "main": "index.js",
   "sideEffects": false,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stoplight/ui-kit",
-  "version": "3.0.0",
+  "version": "3.0.2",
   "description": "Foundational React components for the Stoplight ecosystem. Stable version with all critical security vulnerabilities patched.",
   "keywords": [
     "react",

package/SECURITY.md

@@ -1,71 +0,0 @@
-# Security Policy
-
-## Version 3.0.0 - Critical Security Update
-
-This release includes comprehensive security patches for all identified critical vulnerabilities.
-
-### Critical Vulnerabilities Fixed (v3.0.0)
-
-| Vulnerability | Package | Patched Version | Issue Type |
-|---|---|---|---|
-| Command Injection | shell-quote | 1.7.3 | Command escape bypass |
-| Unsafe Random | form-data | 2.5.4 | CSRF boundary generation |
-| ReDoS | cross-spawn | 6.0.6 | Regular expression DoS |
-| Prototype Pollution | qs | 6.5.3 | Object property injection |
-| ReDoS | semver | 5.7.2 | Version parsing DoS |
-| Prototype Pollution | js-yaml | 3.14.2 | YAML parsing injection |
-| Argument Injection | minimist | 1.2.8 | Command-line flag injection |
-| Prototype Pollution | tough-cookie | 4.1.3 | Cookie handling injection |
-| Prototype Pollution | property-expr | 2.0.6 | Property access injection |
-| Prototype Pollution | merge-deep | 3.0.3 | Object merge injection |
-| RCE / Prototype Pollution | handlebars | 4.7.9 | Template compilation RCE |
-| Authorization Bypass | url-parse | 1.5.10 | URL parsing auth bypass |
-| Cryptographic Weakness | pbkdf2 | 3.1.3 | Key derivation issues |
-| Hash Corruption | sha.js | 2.4.12 | SHA hash rewind attacks |
-| Hash Corruption | cipher-base | 1.0.5 | Cipher state rewind |
-| Key Extraction | elliptic | 6.6.1 | ECDSA private key leak |
-| Info Disclosure | eventsource | 1.1.1 | Sensitive header exposure |
-| Template Injection | ejs | 3.1.7 | Template injection RCE |
-| Prototype Pollution | json-schema | 0.4.0 | Schema validation bypass |
-| Prototype Pollution | loader-utils | 1.4.1 | Webpack loader injection |
-| AST Type Confusion | @babel/traverse | 7.23.2 | AST traversal RCE |
-
-### Vulnerability Statistics
-
-- **Total Critical Vulnerabilities Patched**: 20
-- **Previous Count**: 47 critical
-- **Current Count**: 0 critical ✅
-
-### Recommendations
-
-1. **Immediate Upgrade Required**: All users should upgrade to v3.0.0 immediately
-2. **Production Deployments**: This version is recommended for all production environments
-3. **CI/CD Integration**: Update dependency specifications in lock files to ensure v3.0.0 is installed
-
-### Installation
-
-```bash
-npm install @stoplight/ui-kit@3.0.0
-# or
-yarn add @stoplight/ui-kit@3.0.0
-```
-
-### Backwards Compatibility
-
-This release maintains full backwards compatibility with the v0.x API. No code changes are required when upgrading.
-
-### Testing
-
-All patches have been validated with:
-- ✅ Full test suite passing (16/16 tests)
-- ✅ TypeScript type checking passing
-- ✅ ESLint and Prettier validation passing
-- ✅ Production build verification
-
-### Security Reporting
-
-For security vulnerabilities discovered after this release, please report privately to [support@stoplight.io](mailto:support@stoplight.io) rather than using public issue trackers.
-
-### Changelog
-
-See the [Release Notes](https://github.com/stoplightio/ui-kit/releases/tag/v3.0.0) for complete changelog details.