Edit: Am also open to ditching svg-sprite-loader entirely if someone has suggestions
Running npm audit finds 4 vulnerabilities and suggests forcing a breaking change to svg-sprite-loader (reverting it from v6 back to v2??).
That fixes one vulnerability, but the remaining 3 don't seem to be affected by running npm audit fix as suggested. I'm at a loss how to fix it.
npm: 8.10.0
Node: 16.14.0
webpack: 5.72.1
svg-sprite-loader: 6.0.11
The audit report before running npm audit fix --force:
postcss <7.0.36
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
fix available via `npm audit fix --force`
Will install svg-sprite-loader@2.0.3, which is a breaking change
node_modules/postcss
svg-baker >=1.2.5
Depends on vulnerable versions of postcss
node_modules/svg-baker
svg-baker-runtime >=1.4.0-alpha.10475b37
Depends on vulnerable versions of svg-baker
node_modules/svg-baker-runtime
svg-sprite-loader >=2.0.4
Depends on vulnerable versions of svg-baker
Depends on vulnerable versions of svg-baker-runtime
node_modules/svg-sprite-loader
4 moderate severity vulnerabilities
The report after npm audit fix --force
postcss <7.0.36
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
fix available via `npm audit fix`
node_modules/postcss
svg-baker >=1.2.5
Depends on vulnerable versions of postcss
node_modules/svg-baker
svg-baker-runtime >=1.4.0-alpha.10475b37
Depends on vulnerable versions of svg-baker
node_modules/svg-baker-runtime
3 moderate severity vulnerabilities
Running npm audit fix doesn't fix those vulnerabilites, and I don't really know how to deal with them. Would appreciate someone taking a look who might understand the problem better than I do
from Unable to fix package vulnerability (svg-sprite-loader)
No comments:
Post a Comment