css-what dependency is vulnerable to Denial of Service

Question

css-what dependency is vulnerable to Denial of Service

IlyaShestakov opened this issue 3 years ago · 1 comments

When using gulp-svgstore@7.0.1 npm audit reports:

High            Denial of Service
  Package         css-what
  Patched in      >=5.0.1
  Dependency of   gulp-svgstore [dev]
  Path            gulp-svgstore > cheerio > css-select > css-what
  More info       https://npmjs.com/advisories/1754

Proposed fix
Upgrade the dependency on css-select to be ^4.1.3 since 4.1.3 bumps their dependency on css-what to 5.0.1 and fixes this issue.

Answer 1 · 2021-06-19T08:49:04.000Z

Fixed in 8.0.0