Open Tyharo1 opened 2 years ago
Are you interested in working on cutting us over to SVGO v2?
Popping on here to say that we're using this at Heroku and also getting the licensing ding.
Hi friends. I'm pretty slammed lately and can't take this on. I believe the path forward is having us move to SVGO v2 entirely. Is anyone interested in volunteering to do this work?
🐞 Bug Report
Describe the bug
Using the tool Snyk, I found that there is a license risk introduced by the package
svgo
withinbroccoli-svg-optimizer
. This issue could limit the use ofemer-svg-jar
from a legal stand point. The root cause of this issue is a package calledmdn-data
introduced via the following package chain:ember-svg-jar@2.3.4 > broccoli-svg-optimizer@2.0.0 > svgo@1.3.0 > csso@3.5.1 > css-tree@1.0.0-alpha.29 > mdn-data@1.1.4
More details regarding the licensing risks introduced by this package can be found in Snyk's database here.
Reproduce the bug
snyk-cli
locallyember-svg-jar
projectsnyk test --all-projects
Expected behavior
Snyk should not report a licensing risk when scanning this project.
Possible Solution
Upgrading
svgo
should resolve the issue as it will bump the version ofmdn-data
being used to a version that is not at a licensing risk. Sadly this would involve a major jump from the currentsvgo
version of1.3.0
to2.0.0 or greater
and a minimumNode
version of13 or greater
as required mysvgo V2
.