Upgrade to latest version of svgo

[michaeljonathanblack]

There's a PR open now: https://github.com/airbnb/babel-plugin-inline-react-svg/pull/35

It closes https://github.com/airbnb/babel-plugin-inline-react-svg/pull/34

It also closes https://github.com/airbnb/babel-plugin-inline-react-svg/issues/44

[jkrehm]

It will also resolve a security vulnerability that was found in js-yaml.

https://www.npmjs.com/advisories/788

[alex-born]

It will also resolve a code injection vulnerability:

https://nodesecurity.io/advisories/813

[ljharb]

Since no user yaml code is used as input, neither of these are actually vulnerabilities here - they’re just false positives.

[michaeljonathanblack]

That's true, but does create noise around npm vulnerabilities and should be fixed.

[OZZlE]

helloooo, should be pretty easy to fix right? I want to use this module since it's like half the size of react-svg-loader :)

[ljharb]

No, it’s not easy to fix, nor is it necessary except to avoid false-positive audit warnings.

[lencioni]

@OZZlE I think the next step to fixing this would be to expose a synchronous API from svgo: https://github.com/svg/svgo/issues/1015

[Chengxuan]

Any outlook on fixing this?

[lencioni]

@Chengxuan please see https://github.com/airbnb/babel-plugin-inline-react-svg/issues/45#issuecomment-544570324

[cmonacaps]

the maintainer of svgo couldn't respond to a reasonable request for nearly a year?

it's like a zombie, why not fork or reproduce svgo which isn't even that critical since it sounds like the svg will render the same after as before svgo is used to "optimize" it

[samgermain]

No, it’s not easy to fix, nor is it necessary except to avoid false-positive audit warnings.

@ljharb It's necessary for convincing your boss to let you use this module

[ljharb]

Since most CVEs are false positives for most people, if that's the situation you're in, you're going to find yourself unable to use a lot of useful modules, unfortunately :-/