Version 1.5.4 of svg-sprite has security issues revealed in npm audit

Question

Version 1.5.4 of svg-sprite has security issues revealed in npm audit

jeremyrperry opened this issue 2 years ago · comments

Jeremy Perry commented 2 years ago

Steps to Reproduce:

In a node.js project with the latest version of svg-sprite installed, run npm audit.

Expected Results:

There are no vulnerabilities revealed.

Actual Results:

There are vulnerabilities revealed. A text file from the console output is attached.

npm audit results for svg-sprite.txt

一丝 · Answer 1 · Sat Jun 18 2022 10:52:13 GMT+0800 (China Standard Time)

Recommended upgrade to 2.0

XhmikosR · Answer 2 · Wed Jun 22 2022 02:29:56 GMT+0800 (China Standard Time)

Yeah, nothing we can do because svgo 2.x is a breaking change. You can use the beta until we release v2.0.0 stable.

Jeremy Perry · Answer 3 · Wed Jun 29 2022 00:37:47 GMT+0800 (China Standard Time)

This issue stems from using an old version of the nth-check module. For anyone who is looking for a interim fix but wants to wait for version 2.x to be stable, it's also possible to modify their package.json file to use the latest nth-check version as an override. An example snippet is below.

{
"devDependencies":{
"nth-check": "^2.1.1"
},
"overrides": {
"svg-sprite": {
"svgo": {
"css-select": {
"nth-check": "$nth-check"
}
}
}
}
}