css-what dependency is vulnerable to Denial of Service

ben-eb / gulp-svgmin

Minify SVG files with gulp.

MIT License

341 stars 35 forks source link

css-what dependency is vulnerable to Denial of Service #114

Closed IlyaShestakov closed 3 years ago

IlyaShestakov commented 3 years ago

When using gulp-svgmin@3.0.0 bpm audit reports

  High            Denial of Service
  Package         css-what
  Patched in      >=5.0.1
  Dependency of   gulp-svgmin [dev]
  Path            gulp-svgmin > svgo > css-select > css-what
  More info       https://npmjs.com/advisories/1754

svgo issue to upgrade dependency: https://github.com/svg/svgo/issues/1488

rejas commented 3 years ago

Thanks for the report. Preparing a v4 release but would like to wait for https://github.com/svg/svgo/pull/1485 to get merged into svgo and released so that we can get rid of the warning.

rejas commented 3 years ago

Fixed with the v4.0.0 release.