css-what dependency is vulnerable to Denial of Service

Question

css-what dependency is vulnerable to Denial of Service

IlyaShestakov opened this issue 3 years ago · comments

When using gulp-svgstore@7.0.1 npm audit reports:

High            Denial of Service
  Package         css-what
  Patched in      >=5.0.1
  Dependency of   gulp-svgstore [dev]
  Path            gulp-svgstore > cheerio > css-select > css-what
  More info       https://npmjs.com/advisories/1754

Proposed fix
Upgrade the dependency on css-select to be ^4.1.3 since 4.1.3 bumps their dependency on css-what to 5.0.1 and fixes this issue.

Andrey Kuzmin · Answer 1 · Sat Jun 19 2021 16:49:04 GMT+0800 (China Standard Time)

Fixed in 8.0.0