Security vulnerability with css-what and glob-parent
hellmelt opened this issue · comments
yarn audit outputs a high risk for css-what, a dependency of image-webpack-loader:
image-webpack-loader > imagemin-svgo > svgo > css-select > css-what
in addition to the previously reported normalize-url and trim-newlines.
Furthermore, there is a moderate risk in glob-parent:
image-webpack-loader > imagemin > globby > fast-glob > glob-parent
These are all problems with deeper dependencies.
- I don't think these have any risks (how would you exploit this on a webpack loader?)
- I try to keep up to date with the dependencies, but some of them are not well maintained (see #353) so it's not easy to fix.
- Pull requests that fix these are always welcome.
I'm closing this, but feel free to open a PR that fixes them or I'm willing to reopen if you can at least give any indication how this can be a risk for a webpack loader.