Upgrade to latest version of svgo #45
Comments
|
It will also resolve a security vulnerability that was found in js-yaml. |
|
It will also resolve a code injection vulnerability: |
|
Since no user yaml code is used as input, neither of these are actually vulnerabilities here - they’re just false positives. |
|
That's true, but does create noise around npm vulnerabilities and should be fixed. |
…l used by babel-plugin-inline-react-svg (airbnb/babel-plugin-inline-react-svg#45)
|
helloooo, should be pretty easy to fix right? I want to use this module since it's like half the size of react-svg-loader :) |
|
No, it’s not easy to fix, nor is it necessary except to avoid false-positive audit warnings. |
|
@OZZlE I think the next step to fixing this would be to expose a synchronous API from svgo: svg/svgo#1015 |
|
Any outlook on fixing this? |
|
@Chengxuan please see #45 (comment) |
|
the maintainer of svgo couldn't respond to a reasonable request for nearly a year? it's like a zombie, why not fork or reproduce |
@ljharb It's necessary for convincing your boss to let you use this module |
|
Since most CVEs are false positives for most people, if that's the situation you're in, you're going to find yourself unable to use a lot of useful modules, unfortunately :-/ |
There's a PR open now: #35
It closes #34
It also closes #44
The text was updated successfully, but these errors were encountered: