search

evoactivity / ember-svg-jar

🍯 Best way to use SVG images in Ember apps
https://svgjar.web.app
251 stars 73 forks source link

Security Vulnerability: Upgrade `svgo` #245

Open LanceStasinski opened 1 year ago

LanceStasinski commented 1 year ago

🐞 Bug Report

Describe the bug

nth-check@1.0.2, a transient dependency of svgo@2.1.0, has an Inefficient Regular Expression Complexity vulnerability.

svgo@2.1.0 is a dependency of broccoli-svg-optimizer@2.1.0.

Expected behavior

There should not be security vulnerability.

Possible Solution

Update svgo to v3.0.2 which uses nth-check@2.0.1 as a transient dependency.

linearza commented 1 year ago

+1 This bug has high severity, would be good to resolve!

Turbo87 commented 1 year ago

this vulnerability seems completely irrelevant here since svgo in this context is not used on arbitrary user data. it is only used on the SVG files that you add to your project, and most likely you won't try to DoS yourself... 😅