search

svg-sprite / gulp-svg-sprite

SVG sprites & stacks galore — Gulp plugin wrapping around svg-sprite that reads in a bunch of SVG files, optimizes them and creates SVG sprites and CSS resources in various flavours
MIT License
648 stars 43 forks source link

Denial of Service - Vulnerabilities Observed in dependent package #114

Closed deepakb2410 closed 3 years ago

deepakb2410 commented 3 years ago

┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ css-what │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=5.0.1 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ gulp-svg-sprite [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ gulp-svg-sprite > svg-sprite > svgo > css-select > css-what │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1754 │ └───────────────┴──────────────────────────────────────────────────────────────┘

XhmikosR commented 3 years ago

Nothing we can do here. I have updated svgo in svg-sprite's main branch but there are still some issues so I can't cut a new major release.