Skip to content

fix: update svgo to non-vulnerable version#21

Open
brettz9 wants to merge 2 commits intoyahoo:masterfrom
brettz9:svgo
Open

fix: update svgo to non-vulnerable version#21
brettz9 wants to merge 2 commits intoyahoo:masterfrom
brettz9:svgo

Conversation

@brettz9
Copy link
Contributor

@brettz9 brettz9 commented Jun 26, 2021
edited
Loading

  • fix: update svgo to non-vulnerable version (older version relied on bad css-select -> css-what)

The vulnerability is described at https://snyk.io/vuln/SNYK-JS-CSSWHAT-1298035

Also:

  1. updates devDeps.
  2. fixes problem with numeric entities for < and & not being permissible when they should be (needed to keep a test passing as well as being a proper fix for svgo #1498)

Note that svgo changed their API from asynchronous to synchronous (see https://github.com/svg/svgo/releases/tag/v2.0.0 ). The reason I changed our functions to async (the syntax is ok because our engines range of Node 10+ as they were available since Node 8) was to ensure they would continue returning a Promise, thus avoiding changing our own API. I think perhaps it is fine to continue having an async API since this is the kind of thing that could become async again, but it's not technically needed anymore.

I confirm that this contribution is made under the terms of the license found in the root directory of this repository's source tree and that I have the authority necessary to make this contribution on behalf of its copyright owner.

@brettz9
Copy link
Contributor Author

brettz9 commented Jul 9, 2021
edited
Loading

I'd be grateful for an ETA if possible. This is a vulnerability fix, so would hope it could be given some priority. Thanks!

This was referenced Sep 21, 2021
Open
Open
@brettz9
fix: update svgo to non-vulnerable version (older version relied on b…
054371b 
…ad `css-select` -> `css-what`)

The vulnerability is described at https://snyk.io/vuln/SNYK-JS-CSSWHAT-1298035

Also:
1. updates devDeps.
2. fixes problem with numeric entities for `<` and `&` not being permissible when they should be (needed to keep a test passing as well as being a proper fix)
@brettz9
Copy link
Contributor Author

brettz9 commented Dec 22, 2021

@tkyi : Could you merge this please? It's been a vulnerability for 6 months, and not much involved to the update.

@brettz9
Copy link
Contributor Author

brettz9 commented Apr 30, 2022

Do you want to archive the project if not maintaining it?

@AlonNavon
Copy link

AlonNavon commented Aug 1, 2023
edited
Loading

Hey @brettz9,

We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an nth-check 1.02-sp1 that doesn't have CVE-2021-3803. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at info@seal.security if you have any requests/questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brettz9 @AlonNavon