css-what dependency is vulnerable to Denial of Service

w0rm / gulp-svgstore

Combine svg files into one with symbol elements

https://www.npmjs.com/package/gulp-svgstore

645 stars 33 forks source link

css-what dependency is vulnerable to Denial of Service #108

Closed IlyaShestakov closed 3 years ago

IlyaShestakov commented 3 years ago

When using gulp-svgstore@7.0.1 npm audit reports:

High            Denial of Service
  Package         css-what
  Patched in      >=5.0.1
  Dependency of   gulp-svgstore [dev]
  Path            gulp-svgstore > cheerio > css-select > css-what
  More info       https://npmjs.com/advisories/1754

Proposed fix Upgrade the dependency on css-select to be ^4.1.3 since 4.1.3 bumps their dependency on css-what to 5.0.1 and fixes this issue.

w0rm commented 3 years ago

Fixed in 8.0.0