vue-svg-inline-loader icon indicating copy to clipboard operation
vue-svg-inline-loader copied to clipboard

Published 20 hours ago verified publisher icon oliverfindl

Moderate security vulnerability - Inefficient Regular Expression Complexity in nth-check

Open ilyen85 opened this issue 3 years ago • 4 comments

Hi!

I receive this notification when I ran npm audit.

npm audit
# npm audit report

nth-check  <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
No fix available
node_modules/vue-svg-inline-loader/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/vue-svg-inline-loader/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/vue-svg-inline-loader/node_modules/svgo
      vue-svg-inline-loader  *
      Depends on vulnerable versions of svgo
      node_modules/vue-svg-inline-loader

4 moderate severity vulnerabilities

Can you please update the svgo version this package is using?

Thanks!

ilyen85 avatar Dec 21 '21 12:12 ilyen85

Hello,

I'm aware of this warning, but I have no plans to upgrade for now. I tried to upgrade when SVGO version 2 was released, but couldn't figure up all API changes to persist current functionality. Probably something changed since then, because there is recent fork of this package, that updated SVGO to version 2. Unfortunately, I don't have much free time to invest into this project.

Thanks.

oliverfindl avatar Dec 21 '21 13:12 oliverfindl

Hello,

I had some spare time and upon brief investigation I found out, that SVGO changed their config file structure. Upgrade to version 2 would mean breaking change, so it would be necessary to release new major version of this loader. With new version it would be necessary to update (or recreate, so it would got up-to-date codebase) all examples, which is very time consuming process for me.

I will leave this issue open, so I might revisit it later.

Thanks.

oliverfindl avatar Mar 05 '22 22:03 oliverfindl

Ok, thank you for your time, checking it though :)

ilyen85 avatar Apr 11 '22 13:04 ilyen85

for anyone not using svgo and wanting to get rid of the svgo dependency with the security risks, here's what i did:

  • uninstalled the loader using npm
  • copied this file to my project (as vue-svg-inline-loader.js): https://github.com/oliverfindl/vue-svg-inline-loader/blob/master/src/index.js
  • removed the svgo stuff from there (it also has to be removed from the webpack config if there's still an svgo option)
  • pointed webpack config to the new, local loader:
cfg.resolveLoader.alias = {
    'vue-svg-inline-loader': path.resolve(__dirname, 'loaders', 'vue-svg-inline-loader.js')
};

therealcoder1337 avatar Aug 11 '22 12:08 therealcoder1337