nadavsinai
commented
5 years ago hi, Just FYI, i've done this work and you can use my fork. npm i @algotec/webpack-svgstore-plugin#v5.1.2
I'm trying to get the owners to merge this for a while now...
Open rwinzhang opened 5 years ago
nadavsinai
commented
5 years ago hi, Just FYI, i've done this work and you can use my fork. npm i @algotec/webpack-svgstore-plugin#v5.1.2
I'm trying to get the owners to merge this for a while now...
jonascarlbaum
commented
4 years ago That's not the only package that needs update...
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of webpack-svgstore-plugin [dev]
Path webpack-svgstore-plugin > lodash
More info https://npmjs.com/advisories/577
High Prototype Pollution
Package lodash
Patched in >=4.17.11
Dependency of webpack-svgstore-plugin [dev]
Path webpack-svgstore-plugin > lodash
More info https://npmjs.com/advisories/782
High Prototype Pollution
Package lodash
Patched in >=4.17.12
Dependency of webpack-svgstore-plugin [dev]
Path webpack-svgstore-plugin > lodash
More info https://npmjs.com/advisories/1065
Low Regular Expression Denial of Service
Package clean-css
Patched in >=4.1.11
Dependency of webpack-svgstore-plugin [dev]
Path webpack-svgstore-plugin > pug > pug-filters > clean-css
More info https://npmjs.com/advisories/785
Moderate Denial of Service
Package js-yaml
Patched in >=3.13.0
Dependency of webpack-svgstore-plugin [dev]
Path webpack-svgstore-plugin > svgo > js-yaml
More info https://npmjs.com/advisories/788
High Code Injection
Package js-yaml
Patched in >=3.13.1
Dependency of webpack-svgstore-plugin [dev]
Path webpack-svgstore-plugin > svgo > js-yaml
More info https://npmjs.com/advisories/813For example svgo needs to be at least 1.2.2 but is dependent on 0.7.1 in this project and pug needs to be at least 2.0.3 but is 2.0.0-beta6.
I think that, alongside lodash at least 4.17.11 will cover the vulnerabilities I pasted above.
Maybe you covered all @nadavsinai ?
Reference: https://www.npmjs.com/advisories/577