[Security] Dependency CSS out of date.

jhamlet / svg-react-loader

Webpack SVG to React Component Loader

MIT License

559 stars 82 forks source link

[Security] Dependency CSS out of date. #106

Closed Tenkir closed 6 years ago

Tenkir commented 6 years ago

This package currently depends on CSS@2.2.1 there is a security vulnerability in this version which is resolved in the latest version (@2.2.4). This should be updated.

More info: https://nodesecurity.io/advisories/646

jeffvandyke commented 6 years ago

Seeing the same here. My dependency path was svg-react-loader > css > source-map-resolve > atob. Awesome news is that atob, source-map-resolve, and css have all updated past the vulnerability. Now if only svg-react-loader would update, I'd have 0 npm audit vulterabilities...

Fabianopb commented 6 years ago

There's a PR for that: https://github.com/jhamlet/svg-react-loader/pull/105#pullrequestreview-158967776

medington commented 6 years ago

Any ETA on getting a release with this fix?

jhamlet commented 6 years ago

Fixed.