Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerability: Upgrade svgo #245

Open
LanceStasinski opened this issue Dec 22, 2022 · 3 comments
Open

Security Vulnerability: Upgrade svgo #245

LanceStasinski opened this issue Dec 22, 2022 · 3 comments
Labels
bug

Comments

@LanceStasinski
Copy link

LanceStasinski commented Dec 22, 2022
edited
Loading

🐞 Bug Report

Describe the bug

[email protected], a transient dependency of [email protected], has an Inefficient Regular Expression Complexity vulnerability.

[email protected] is a dependency of [email protected].

Expected behavior

There should not be security vulnerability.

Possible Solution

Update svgo to v3.0.2 which uses [email protected] as a transient dependency.
@linearza
Copy link

+1 This bug has high severity, would be good to resolve!

@Turbo87
Copy link
Contributor

Turbo87 commented May 23, 2023

this vulnerability seems completely irrelevant here since svgo in this context is not used on arbitrary user data. it is only used on the SVG files that you add to your project, and most likely you won't try to DoS yourself... 😅

@ternavsky
Copy link

ternavsky commented Sep 9, 2024
edited
Loading

this vulnerability seems completely irrelevant here since svgo in this context is not used on arbitrary user data. it is only used on the SVG files that you add to your project, and most likely you won't try to DoS yourself... 😅

my boss doesn't care, he sees a vulnerability in a snyk report - demands to remove the dependency

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Turbo87 @linearza @ternavsky @LanceStasinski