ljharb
commented
4 years ago This is a duplicate of #66; see also #35 and #34; svgo v1+ doesn't offer a synchronous mechanism, so we can't use it.
Additionally, every security issue you're referencing is a false positive that does not apply to this repo.
The js-yaml package which is a dependency of svgo has a high-severity Code Injection vulnerability documented here: https://www.npmjs.com/advisories/813