js-yaml throwing security errors

Question

js-yaml throwing security errors

RobPethick opened this issue 6 years ago · 2 comments

When running npm audit I get the following results

Moderate Denial of Service
Package js-yaml
Patched in >=3.13.0
Dependency of react-svg-loader [dev]
Path react-svg-loader > react-svg-core > svgo > js-yaml
More info https://nodesecurity.io/advisories/788

High Code Injection
Package js-yaml
Patched in >=3.13.1
Dependency of react-svg-loader [dev]
Path react-svg-loader > react-svg-core > svgo > js-yaml
More info https://nodesecurity.io/advisories/813****

Looks like svgo have updated their version of js-yaml to fix this, we just need to update the version of svgo to get that change

Answer 1 · 2019-05-05T20:30:36.000Z

Looks like this might have been done in commit 27bce4a
But this doesn't look like it has been released as a new version of react-svg-loader with the new reference to react-svg-core

Answer 2 · 2019-05-06T08:30:55.000Z

published 3.0.1 - https://github.com/boopathi/react-svg-loader/releases/tag/v3.0.1