Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: update svgo to non-vulnerable version #21

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix: update svgo to non-vulnerable version #21

wants to merge 2 commits into from

Conversation

brettz9
Copy link
Contributor

@brettz9 brettz9 commented Jun 26, 2021
edited
Loading

  • fix: update svgo to non-vulnerable version (older version relied on bad css-select -> css-what)

The vulnerability is described at https://snyk.io/vuln/SNYK-JS-CSSWHAT-1298035

Also:

  1. updates devDeps.
  2. fixes problem with numeric entities for < and & not being permissible when they should be (needed to keep a test passing as well as being a proper fix for svgo #1498)

Note that svgo changed their API from asynchronous to synchronous (see https://github.com/svg/svgo/releases/tag/v2.0.0 ). The reason I changed our functions to async (the syntax is ok because our engines range of Node 10+ as they were available since Node 8) was to ensure they would continue returning a Promise, thus avoiding changing our own API. I think perhaps it is fine to continue having an async API since this is the kind of thing that could become async again, but it's not technically needed anymore.

I confirm that this contribution is made under the terms of the license found in the root directory of this repository's source tree and that I have the authority necessary to make this contribution on behalf of its copyright owner.

@brettz9
Copy link
Contributor Author

brettz9 commented Jul 9, 2021
edited
Loading

I'd be grateful for an ETA if possible. This is a vulnerability fix, so would hope it could be given some priority. Thanks!

This was referenced Sep 21, 2021
Open
Open
@brettz9
fix: update svgo to non-vulnerable version (older version relied on b…
054371b 
…ad `css-select` -> `css-what`)

The vulnerability is described at https://snyk.io/vuln/SNYK-JS-CSSWHAT-1298035

Also:
1. updates devDeps.
2. fixes problem with numeric entities for `<` and `&` not being permissible when they should be (needed to keep a test passing as well as being a proper fix)
@brettz9
Copy link
Contributor Author

brettz9 commented Dec 22, 2021

@tkyi : Could you merge this please? It's been a vulnerability for 6 months, and not much involved to the update.

@brettz9
Copy link
Contributor Author

brettz9 commented Apr 30, 2022

Do you want to archive the project if not maintaining it?

@AlonNavon
Copy link

AlonNavon commented Aug 1, 2023
edited
Loading

Hey @brettz9,

We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an nth-check 1.02-sp1 that doesn't have CVE-2021-3803. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at [email protected] if you have any requests/questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@brettz9 @AlonNavon