svgo icon indicating copy to clipboard operation
svgo copied to clipboard
verified publisher icon svg

Do not modify dependencies until coa vulnerability is resolved

Open Nantris opened this issue 4 years ago • 2 comments

One or more of the dependencies for svgo depends on coa. The current version being installed with svgo is [email protected], which is safe.

Newer versions are infected with malware, so no dependencies should be added or upgraded until it's certain that the associated coa version is safe.

https://www.bleepingcomputer.com/news/security/popular-coa-npm-library-hijacked-to-steal-user-passwords/

Users should consider pinning their coa version via package.json's resolutions like so:

"resolutions": { 
  "coa": "2.0.2"
 }

Nantris avatar Nov 04 '21 21:11 Nantris

SVGO v2 does not use coa. SVGO v1 is no longer supported.

TrySound avatar Nov 04 '21 21:11 TrySound

I'll leave the issue open for others

TrySound avatar Nov 04 '21 21:11 TrySound