Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Node16 npm audit moderate #494

Open
z-zp opened this issue Oct 20, 2022 · 2 comments
Open

Node16 npm audit moderate #494

z-zp opened this issue Oct 20, 2022 · 2 comments

Comments

@z-zp
Copy link

z-zp commented Oct 20, 2022

Do you want to request a feature, report a bug or ask a question?

What is the current behavior?

What is the expected behavior?

If the current behavior is a bug, please provide the steps to reproduce, at least part of webpack config with loader configuration and piece of your code.
The best way is to create repo with minimal setup to demonstrate a problem (package.json, webpack config and your code).
It you don't want to create a repository - create a gist with multiple files

If this is a feature request, what is motivation or use case for changing the behavior?

Please tell us about your environment:

  • Node.js version: 16
  • webpack version: 5
  • svg-sprite-loader version: 6.0.11
  • OS type & version: mac

Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, gitter, etc)

┬ svg-sprite-loader@6.0.11
│ └─┬ svg-baker@1.7.0
│ ├─┬ postcss-prefix-selector@1.16.0
│ │ └── postcss@8.4.18 deduped
│ └── postcss@5.2.18

its dependencies postcss@5.2.18.
postcss@5.2.18 is need to upgrade GHSA-566m-qj78-rww5

@MaximeCheramy
Copy link

There is also a critical vulnerability:

loader-utils  <2.0.3
Severity: critical
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
No fix available
node_modules/loader-utils
node_modules/svg-baker/node_modules/loader-utils

Direct dependency:

├─┬ svg-sprite-loader@6.0.11
│ ├── loader-utils@1.4.0

@wermanoid
Copy link

wermanoid commented Oct 7, 2024

And also critical vulnerability in htmlparser2.

it is recommended to update htmlparser2 to v5+

└─┬ svg-sprite-loader@6.0.11
    └─┬ svg-baker@1.7.0
      └─┬ posthtml-svg-mode@1.0.3
        └─┬ posthtml-parser@0.2.1
          └── htmlparser2@3.10.1 

actually, is this package still somehow maintained?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants