image-webpack-loader icon indicating copy to clipboard operation
image-webpack-loader copied to clipboard

Published 20 hours ago verified publisher icon tcoopman

Update imagemin-svgo

Open apennell opened this issue 3 years ago • 2 comments

There's a reported ReDoS vulnerability with is-svg v4.2.1:

Vulnerable versions: >= 2.1.0, < 4.2.2 Patched version: 4.2.2

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

is-svg is a dependency of imagemin-svgo, which is a dependency of image-webpack-loader. Current latest release of imagemin-svgo 9.0.0 ("imagemin-svgo": "^8.0.0" used here) is still using is-svgo 4.2.1, but there's an open issue and pr in that repo to bump the dependency up, so ideally image-webpack-loader would upgrade imagemin-svgo once that fix is in.

apennell avatar Apr 29 '21 19:04 apennell

Hello. Is there a plan to upgrade the dependency within the image-webpack-loader? The issue mentioned above https://github.com/imagemin/imagemin-svgo/issues/45 has been closed.

ebongso avatar Jun 21 '22 20:06 ebongso

imagemin-svgo was updated to version 9.0.0 in Release 8.0.0 (as visible in the CHANGELOG.md), so I think this issue can be closed.

sykaeh avatar Sep 04 '22 22:09 sykaeh