-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"High" Severity Audit from dependency css-select
and css-what
#1488
Comments
css-select
and css-what
css-select
and css-what
Comment from css-what autor: fb55/css-what#503 |
@SymbioticKilla Yes but as I noted in my comment this project doesn't depend directly on So for this project, the required action is to update the dependency on |
I'm investigating the dependency tree as well (via cssnano) and also ended up at svgo updating the css-select dependency. @zackdotcomputer's suggestion seems the right one. |
@zackdotcomputer I just noticed that there will be no fixed version for css-what in v4 branch(4.0.1 etc.) => it is up to svgo to fix the problem with major version update of css-select. |
Existing PR here: #1485 |
@zackdotcomputer was saying correct, @SymbioticKilla he is not asking to upgrade somethinng in select-css, he want svgo has to update select-css package to 5.x.x, now the svgo is using select-css@^3.1.2. +1 |
@khadervali Actually, I have agreed in my both messages that is up to svgo. I have posted an evidence that svgo should not wait for css-what author for backport. |
Describe the bug
Per this advisory installations that include
svgo
now cause annpm audit
warning to appear because of the dependency on 3.x versions ofcss-select
, which in turn depends on a version ofcss-what
older than 5.0.1.To Reproduce
svgo
as a dependency.npm audit
Expected behavior
No audit should appear
Proposed fix
Upgrade the dependency on
css-select
to be^4.1.3
since 4.1.3 bumps their dependency oncss-what
to 5.0.1 and fixes this issue.The text was updated successfully, but these errors were encountered: