[Snyk] mdn-data Licensing Risk

[Tyharo1]

🐞 Bug Report

Describe the bug

Using the tool Snyk, I found that there is a license risk introduced by the package svgo within broccoli-svg-optimizer. This issue could limit the use of emer-svg-jar from a legal stand point. The root cause of this issue is a package called mdn-data introduced via the following package chain:

[email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]

More details regarding the licensing risks introduced by this package can be found in Snyk's database here.

Reproduce the bug

1. Install snyk-cli locally
2. Navigate into the local ember-svg-jar project
3. Run snyk test --all-projects

Expected behavior

Snyk should not report a licensing risk when scanning this project.

Possible Solution

Upgrading svgo should resolve the issue as it will bump the version of mdn-data being used to a version that is not at a licensing risk. Sadly this would involve a major jump from the current svgo version of 1.3.0 to 2.0.0 or greater and a minimum Node version of 13 or greater as required my svgo V2.

[jherdman]

Are you interested in working on cutting us over to SVGO v2?

[saracope]

Popping on here to say that we're using this at Heroku and also getting the licensing ding.

[jherdman]

Hi friends. I'm pretty slammed lately and can't take this on. I believe the path forward is having us move to SVGO v2 entirely. Is anyone interested in volunteering to do this work?