Open zarinacodes opened 1 year ago
Problem is still present. Vulnerable versions of json5 and loader-utils are still in use by gatsby-plugin-react-svg latest version. https://snyk.io/advisor/npm-package/gatsby-plugin-react-svg
# npm audit report
json5 <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
No fix available
node_modules/svg-react-loader/node_modules/json5
loader-utils <=1.4.1
Depends on vulnerable versions of json5
node_modules/svg-react-loader/node_modules/loader-utils
svg-react-loader >=0.4.3
Depends on vulnerable versions of loader-utils
node_modules/svg-react-loader
gatsby-plugin-react-svg *
Depends on vulnerable versions of svg-react-loader
node_modules/gatsby-plugin-react-svg
loader-utils <=1.4.1
Severity: critical
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
Depends on vulnerable versions of json5
No fix available
node_modules/svg-react-loader/node_modules/loader-utils
svg-react-loader >=0.4.3
Depends on vulnerable versions of loader-utils
node_modules/svg-react-loader
gatsby-plugin-react-svg *
Depends on vulnerable versions of svg-react-loader
node_modules/gatsby-plugin-react-svg
Since svg-react-loader is dead, the project should definitely migrate away. In the meantime, you can fix the vulnerabilities in your projects by using package.json overrides, just like in https://github.com/markavenue/website/commit/f26c4c74655ec0c90c956423bc5684f0d642d77b.
The dependency
svg-react-loader
not only uses vulnerable version ofloader-utils
which is@1.1.0
, but also seems to be abandoned as last release was 4 years ago. Is there a chance that you will fork it, fix it or address this issue?Would appreciate your help here.