search

evoactivity / ember-svg-jar

🍯 Best way to use SVG images in Ember apps
https://svgjar.web.app
251 stars 73 forks source link

[Snyk] mdn-data Licensing Risk #227

Open Tyharo1 opened 2 years ago

Tyharo1 commented 2 years ago

🐞 Bug Report

Describe the bug

Using the tool Snyk, I found that there is a license risk introduced by the package svgo within broccoli-svg-optimizer. This issue could limit the use of emer-svg-jar from a legal stand point. The root cause of this issue is a package called mdn-data introduced via the following package chain:

ember-svg-jar@2.3.4 > broccoli-svg-optimizer@2.0.0 > svgo@1.3.0 > csso@3.5.1 > css-tree@1.0.0-alpha.29 > mdn-data@1.1.4

More details regarding the licensing risks introduced by this package can be found in Snyk's database here.

Reproduce the bug

  1. Install snyk-cli locally
  2. Navigate into the local ember-svg-jar project
  3. Run snyk test --all-projects

Expected behavior

Snyk should not report a licensing risk when scanning this project.

Possible Solution

Upgrading svgo should resolve the issue as it will bump the version of mdn-data being used to a version that is not at a licensing risk. Sadly this would involve a major jump from the current svgo version of 1.3.0 to 2.0.0 or greater and a minimum Node version of 13 or greater as required my svgo V2.

jherdman commented 2 years ago

Are you interested in working on cutting us over to SVGO v2?

saracope commented 2 years ago

Popping on here to say that we're using this at Heroku and also getting the licensing ding.

jherdman commented 2 years ago

Hi friends. I'm pretty slammed lately and can't take this on. I believe the path forward is having us move to SVGO v2 entirely. Is anyone interested in volunteering to do this work?