Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

css-what's Denial of Service vulnerabitlity #1496

Closed
leifjones opened this issue Jun 21, 2021 · 2 comments
Closed

css-what's Denial of Service vulnerabitlity #1496

leifjones opened this issue Jun 21, 2021 · 2 comments
Labels
bug

Comments

@leifjones
Copy link

Describe the bug
Projects that consume svgo (e.g., indirectly, @angular-devkit/build-angular via css-minimizer-webpack-plugin > cssnano > cssnano-preset-default > postcss-svgo > svgo > css-select > css-what) have a high severity DoS vulnerability due to something that was fixed in version 5.0.1 of css-what. css-select already fixed this in its latest release. Could there be a dependency update to address this?

To Reproduce
Steps to reproduce the behavior:

  1. run npm install on an angular 12 project
  2. run npm audit

Expected behavior
No vulnerability for projects that depend on patched versions of svgo

Screenshots
image

Desktop (please complete the following information):

  • SVGO Version ^2.3.0
  • NodeJs Version 14
  • OS: Windows 10
@leifjones leifjones added the bug label Jun 21, 2021
@chappjc
Copy link

chappjc commented Jun 21, 2021
edited
Loading

Appears to be #1488, but I second this.

@leifjones
Copy link
Author

@chappjc ah, thanks. Yes, I'll close this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@leifjones @chappjc