NPM recommending svg-sprite-loader 2.0.3 as a vulnerability fix?

Do you want to request a feature, report a bug or ask a question? Vulnerability

What is the current behavior? Running npm audit fix suggests rolling back svg-sprite-loader to 2.0.3

What is the expected behavior? Being able to use the latest version

Please tell us about your environment:

Node.js version: 16.14.0
webpack version: 5.72.1
svg-sprite-loader version: 6.0.11
OS type & version: windows 10

Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, gitter, etc)


`postcss  <7.0.36
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
fix available via npm audit fix --force
Will install svg-sprite-loader@2.0.3, which is a breaking change
node_modules/postcss
  svg-baker  >=1.2.5
  Depends on vulnerable versions of postcss
  node_modules/svg-baker
    svg-baker-runtime  >=1.4.0-alpha.10475b37
    Depends on vulnerable versions of svg-baker
    node_modules/svg-baker-runtime
      svg-sprite-loader  >=2.0.4
      Depends on vulnerable versions of svg-baker
      Depends on vulnerable versions of svg-baker-runtime
      node_modules/svg-sprite-loader

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force`

JetBrains / svg-sprite-loader

NPM recommending svg-sprite-loader 2.0.3 as a vulnerability fix? #486