Version 1.5.4 of svg-sprite has security issues revealed in npm audit
jeremyrperry opened this issue · comments
Steps to Reproduce:
- In a node.js project with the latest version of svg-sprite installed, run npm audit.
Expected Results:
There are no vulnerabilities revealed.
Actual Results:
There are vulnerabilities revealed. A text file from the console output is attached.
Recommended upgrade to 2.0
Yeah, nothing we can do because svgo 2.x is a breaking change. You can use the beta until we release v2.0.0 stable.
This issue stems from using an old version of the nth-check module. For anyone who is looking for a interim fix but wants to wait for version 2.x to be stable, it's also possible to modify their package.json file to use the latest nth-check version as an override. An example snippet is below.
{
"devDependencies":{
"nth-check": "^2.1.1"
},
"overrides": {
"svg-sprite": {
"svgo": {
"css-select": {
"nth-check": "$nth-check"
}
}
}
}
}