Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to latest version of svgo #45

Closed
michaeljonathanblack opened this issue Jun 22, 2018 · 12 comments · Fixed by #99 · May be fixed by #35
Closed

Upgrade to latest version of svgo #45

michaeljonathanblack opened this issue Jun 22, 2018 · 12 comments · Fixed by #99 · May be fixed by #35

Comments

@michaeljonathanblack
Copy link

michaeljonathanblack commented Jun 22, 2018
edited

There's a PR open now: #35

It closes #34

It also closes #44
@Trainbird Trainbird mentioned this issue Jun 22, 2018
Open
@jkrehm
Copy link

jkrehm commented Mar 22, 2019

It will also resolve a security vulnerability that was found in js-yaml.

https://www.npmjs.com/advisories/788

@alex-born
Copy link

It will also resolve a code injection vulnerability:

https://nodesecurity.io/advisories/813

@ljharb
Copy link
Collaborator

ljharb commented Apr 17, 2019

Since no user yaml code is used as input, neither of these are actually vulnerabilities here - they’re just false positives.

@michaeljonathanblack
Copy link
Author

That's true, but does create noise around npm vulnerabilities and should be fixed.

AlexeySafronov added a commit to ONLYOFFICE/DocSpace that referenced this issue Sep 11, 2019
@AlexeySafronov
web: components: Applied temp fix for security vulnerabilities js-yam…
63cabe4 
…l used by babel-plugin-inline-react-svg (airbnb/babel-plugin-inline-react-svg#45)
@OZZlE
Copy link

OZZlE commented Oct 21, 2019

helloooo, should be pretty easy to fix right? I want to use this module since it's like half the size of react-svg-loader :)

@ljharb
Copy link
Collaborator

ljharb commented Oct 21, 2019

No, it’s not easy to fix, nor is it necessary except to avoid false-positive audit warnings.

@lencioni
Copy link
Member

@OZZlE I think the next step to fixing this would be to expose a synchronous API from svgo: svg/svgo#1015

@dennervidal dennervidal mentioned this issue Nov 27, 2019
Closed
@ljharb ljharb mentioned this issue Jan 5, 2020
Closed
@Chengxuan Chengxuan mentioned this issue Feb 26, 2020
Closed
@Chengxuan
Copy link

Any outlook on fixing this?

@lencioni
Copy link
Member

@Chengxuan please see #45 (comment)

@ljharb ljharb mentioned this issue Apr 5, 2020
Closed
@boris-arkenaar boris-arkenaar mentioned this issue Apr 14, 2020
Closed
@ljharb ljharb mentioned this issue May 3, 2020
Closed
@ljharb ljharb mentioned this issue Jun 1, 2020
Closed
@ljharb ljharb mentioned this issue Jun 8, 2020
Closed
@cmonacaps
Copy link

the maintainer of svgo couldn't respond to a reasonable request for nearly a year?

it's like a zombie, why not fork or reproduce svgo which isn't even that critical since it sounds like the svg will render the same after as before svgo is used to "optimize" it

@lencioni lencioni mentioned this issue Oct 20, 2020
Closed
@drodenberg drodenberg mentioned this issue Oct 20, 2020
Closed
@ljharb ljharb mentioned this issue Jan 13, 2021
Closed
@ljharb ljharb mentioned this issue Feb 17, 2021
Merged
@samgermain
Copy link

No, it’s not easy to fix, nor is it necessary except to avoid false-positive audit warnings.

@ljharb It's necessary for convincing your boss to let you use this module

@ljharb
Copy link
Collaborator

ljharb commented Mar 29, 2021

Since most CVEs are false positives for most people, if that's the situation you're in, you're going to find yourself unable to use a lot of useful modules, unfortunately :-/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
9 participants
@ljharb @lencioni @OZZlE @jkrehm @michaeljonathanblack @Chengxuan @alex-born @samgermain @cmonacaps