swisnl/vue-cli-plugin-svg-sprite

Provide fix for `npm audit`?

verlok opened this issue · 2 comments

verlok commented 
postcss  <7.0.36
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
No fix available
node_modules/svg-baker/node_modules/postcss
  svg-baker  >=1.2.5
  Depends on vulnerable versions of postcss
  node_modules/svg-baker
    svg-baker-runtime  >=1.4.0-alpha.10475b37
    Depends on vulnerable versions of svg-baker
    node_modules/svg-baker-runtime
      svg-sprite-loader  >=2.0.4
      Depends on vulnerable versions of svg-baker
      Depends on vulnerable versions of svg-baker-runtime
      node_modules/svg-sprite-loader
        vue-cli-plugin-svg-sprite  *
        Depends on vulnerable versions of svg-sprite-loader
        node_modules/vue-cli-plugin-svg-sprite

5 moderate severity vulnerabilities
verlok commented

Looks like the easy fix would be to upgrate to a newer version of postcss, am I right?

JaZo commented

This regards a deeply nested dependency of svg-sprite-loader. I don't think we can fix that as we already use the latest version. Maybe you have some luck in opening an issue for the package actually using postcss (svg-baker). If you think otherwise, please feel free to reopen and explain how.