Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade svgo from 1.3.2 to 3.3.2 #10

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Upgrade svgo from 1.3.2 to 3.3.2 #10

wants to merge 1 commit into from

Conversation

snyk-io[bot]
Copy link

@snyk-io snyk-io bot commented Jul 17, 2024

This PR was automatically created by Snyk using the credentials of a real user.


![snyk-top-banner](https://github.com/andygongea/OWASP-Benchmark/assets/818805/c518c423-16fe-447e-b67f-ad5a49b5d123)

Snyk has created this PR to upgrade svgo from 1.3.2 to 3.3.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

  • The recommended version is 27 versions ahead of your current version.

  • The recommended version was released on 2 months ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
critical severity Incomplete List of Disallowed Inputs
SNYK-JS-BABELTRAVERSE-5962462		 235 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-NTHCHECK-1586032		 235 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795		 235 Proof of Concept
Release notes
Package name: svgo
  • 3.3.2 - 2024-05-09

    Notice

    An update on what happened with v3.3.0 and v3.3.1. While we have retained CJS support, the migration to ESM has changed the acceptable ways to import SVGO, in ways that users depended on before. This effectively made SVGO v3 a breaking change.

    Rather than resolve or workaround these differences, we've opted to release SVGO v3.3.2, which is effectively a revert to v3.2.0, and deprecate versions v3.3.0 and v3.3.1. We'll then proceed to work on releasing v4 which will document the breaking changes, and feature further breaking changes that were slated for v4, like disabling removeViewBox by default.

    Before the v4.0.0 release, I'll put more focus on testing and use release candidates, just to make the release go smoothly! 👍🏽

    Sorry for the headache, and thanks for your patience.

  • 3.3.1 - 2024-05-08

    Notice

    SVGO v3.3.0, which was meant to migrate to ESM without breaking CJS support, unfortunately broke CJS projects. There was a mistake with exports, so the loadConfig function wasn't available in the CJS bundle and lead to issues for many users.

    Thanks to everyone who raised the issue, and to @ nuintun who submitted a pull request to resolve it so quickly.

    I apologize for letting that breaking change through, and will aim to do better. Namely, by adding more tests to cover our exports, and any other public interface in general for each distribution of SVGO, so this doesn't happen again.

    SVGO v3.3.1 should resolve the issue for CJS projects, but if you encounter anything else, do let us know by opening an issue on GitHub.

  • 3.3.0 - 2024-05-08

    Deprecated

    This release introduced breaking changes, which have been reverted in v3.3.2. The bug fixes will be reintroduced in v4.0.0.

    What's Changed

    ESM

    SVGO is now a dual package, serving for both Common JS and ESM usage. We believe there shouldn't be any problems, especially as SVGO as largely stateless, but feel free to open an issue if you encounter problems with this.

    To be explicit, this is not a breaking change, and SVGO should continue to work in Common JS projects!

    Thanks to @ jdufresne for doing the bulk of the work.

    Default Behavior

    • convertColors, now converts all references to colors excluding references to IDs to lowercase. This can be disabled by setting convertCase to false.

    Bug Fixes

    • cleanupIds, treat both URI encoded and non-URI encoded IDs as the same. By @ liuweifeng in #1982
    • collapseGroups, check styles as well as attributes. By @ johnkenny54 in #1952
    • collapseGroups, move attributes atomically. By @ johnkenny54 in #1930
    • convertPathData, fix q control point when item is removed. By @ KTibow in #1927
    • convertPathData, preserve vertex for markers only paths. By @ SethFalco in #1967
    • mergePaths, don't merge paths if attributes/styles depend on the node's bounding box. By @ johnkenny54 in #1964
    • moveElemsAttrsToGroups, no longer moves the transforms if group has the filter attribute. By @ johnkenny54 in #1933
    • prefixIds, fixed issue where some IDs were not prefixed when style tag contained XML comments. By @ john-neptune in #1942
    • removeHiddenElems, don't remove node if child element has a referenced ID. By @ johnkenny54 in #1925
    • removeHiddenElems, treat path[opacity=0] as a non-rendering node. By @ johnkenny54 in #1948
    • removeUselessDefs, don't remove node if child element has an ID. By @ johnkenny54 in #1923
    • When stringifying path data, include a space before numbers represented in scientific notation. By @ johnkenny54 in #1961
    • No longer crashes when the output (-o argument) ends with a trailing slash to a location that didn't exist. By @ SethFalco in #1954

    SVG Optimization

    • convertColors, introduce parameter to convert colors to common casing (lowercase/uppercase). By @ JayLeininger in #1692
    • removeDeprecatedAttrs, new plugin that is disabled by default to remove SVG attributes that are deprecated. By @ jdufresne in #1869

    Metrics

    Before and after using vectors from various sources, with the default preset of each respective version:

    SVG Original v3.2.0 v3.3.0 Delta
    Arch Linux Logo 9.529 KiB 4.115 KiB 4.097 KiB ⬇️ 0.018 KiB
    Blobs 50.45 KiB 42.623 KiB 42.609 KiB ⬇️ 0.014 KiB
    Isometric Madness 869.034 KiB 540.582 KiB 540.073 KiB ⬇️ 0.509 KiB
    tldr-pages Banner 2.071 KiB 1.07 KiB 1.07 KiB
    Wikipedia Logo 161.551 KiB 111.668 KiB 111.668 KiB

    Before and after of the browser bundle of each respective version:

    v3.2.0 v3.3.0 Delta
    svgo.browser.js 910.9 kB 753.0 kB ⬇️ 157.9 kB
  • 3.2.0 - 2024-01-02

    What's Changed

    Bug Fixes

    SVG Optimization

    • convertPathData, improves closing paths and how we determine if to use absolute or relative commands. By @ KTibow in #1867
    • convertPathData, round arc or convert to lines based on the sagitta, can be disabled by setting smartArcRounding to false. By @ KTibow in #1873
    • convertPathData, convert cubic Bézier curves to quadratic Bézier curves where possible, can be disabled by setting convertToQ to false. By @ KTibow in #1889

    Performance

    Metrics

    Before and after using vectors from various sources, with the default preset of each respective version:

    SVG Original v3.1.0 v3.2.0 Delta
    Arch Linux Logo 9.529 KiB 4.162 KiB 4.115 KiB ⬇️ 0.047 KiB
    Blobs 50.45 KiB 42.949 KiB 42.623 KiB ⬇️ 0.326 KiB
    Isometric Madness 869.034 KiB 550.153 KiB 540.582 KiB ⬇️ 9.571 KiB
    tldr-pages Banner 2.071 KiB 1.07 KiB 1.07 KiB
    Wikipedia Logo 161.551 KiB 116 KiB 111.668 KiB ⬇️ 4.332 KiB

    Before and after of the browser bundle of each respective version:

    v3.1.0 v3.2.0 Delta
    svgo.browser.js 660.9 kB 910.9 kB ⬆️ 250 kB
  • 3.1.0 - 2023-12-11

    What's Changed

    Bug Fixes

    SVG Optimization

    Metrics

    Before and after using vectors from various sources, with the default preset of each respective version:

    SVG Original v3.0.5 v3.1.0 Delta
    Arch Linux Logo 9.529 KiB 4.608 KiB 4.162 KiB ⬇️ 0.446 KiB
    Blobs 50.45 KiB 42.949 KiB 42.949 KiB
    Isometric Madness 869.034 KiB 550.153 KiB 550.153 KiB
    tldr-pages Banner 2.071 KiB 1.07 KiB 1.07 KiB
    Wikipedia Logo 161.551 KiB 117.146 KiB 116 KiB ⬇️ 1.146 KiB

    Before and after of the browser bundle of each respective version:

    v3.0.5 v3.1.0 Delta
    svgo.browser.js 657.5 kB 660.9 kB ⬆️ 3.4 kB
  • 3.0.5 - 2023-11-30

    What's Changed

    Bug Fixes

    Chores

    • Improved exported types for the #loadConfig method. By @ nuintun in #1844

    Metrics

    Before and after using vectors from various sources, with the default preset of each respective version:

    SVG Original v3.0.4 v3.0.5 Delta
    Arch Linux Logo 9.529 KiB 4.735 KiB 4.608 KiB ⬇️ 0.127 KiB
    Blobs 50.45 KiB 42.949 KiB 42.949 KiB
    Isometric Madness 869.034 KiB 550.593 KiB 550.153 KiB ⬇️ 0.44 KiB
    tldr-pages Banner 2.071 KiB 1.07 KiB 1.07 KiB
    Wikipedia Logo 161.551 KiB 117.152 KiB 117.146 KiB ⬇️ 0.006 KiB

    Before and after of the browser bundle of each respective version:

    v3.0.4 v3.0.5 Delta
    svgo.browser.js 656.9 kB 657.5 kB ⬆️ 0.6 kB
  • 3.0.4 - 2023-11-18

    Includes various bug fixes for existing plugins and a new optimization. Also splits removeXMLNS, which removed XLink, into two separate plugins, removeXMLNS and removeXlink.

    What's Changed

    Default Behavior

    • removeXMLNS, no longer removes the XLink (xmlns:xlink) namespace. If that is desirable, you should enable the new removeXlink plugin, which does more while being safer. By @ TrySound and @ SethFalco in #1535

    Bug Fixes

    SVG Optimization

    • convertPathData, convert to z command if going back to initial position, or drop z if redundant. By @ KTibow in #1822
    • inlineStyles, when inlining a CSS property that's already declared in a presentation attribute of the node, drop the attribute. By @ SethFalco in #1829
    • removeXlink, new plugin that removes the XLink (xmlns:xlink) namespace and migrates from XLink attributes to the SVG 2 equivalent. Disabled by default. By @ TrySound and @ SethFalco in #1535

    Metrics

    Before and after using vectors from various sources, with the default preset of each respective version:

    SVG Original v3.0.3 v3.0.4 Delta
    Arch Linux Logo 9.529 KiB 4.738 KiB 4.735 KiB ⬇️ 0.003 KiB
    Blobs 50.45 KiB 42.949 KiB 42.949 KiB
    Isometric Madness 869.034 KiB 550.699 KiB 550.593 KiB ⬇️ 0.106 KiB
    tldr-pages Banner 2.071 KiB 1.07 KiB 1.07 KiB
    Wikipedia Logo 161.552 KiB 118.441 KiB 117.152 KiB ⬇️ 1.289 KiB

    Before and after of the browser bundle of each respective version:

    v3.0.3 v3.0.4 Delta
    svgo.browser.js 651.7 kB 656.9 kB ⬆️ 5.2 kB
  • 3.0.3 - 2023-11-08

    Includes various bug fixes and optimizations for existing plugins.

    We're also revamped the documentation for the project. You can find it on svgo.dev!
    The frontend for svgo.dev is maintained in svg/svgo.dev, contributions are welcome.

    What's Changed

    Default Behavior

    • removeComments, introduces preservePatterns parameter. Preserves legal comments by default, same as the previous behavior, but can now be overridden. By @ SethFalco in #1812
    • removeDesc, set the removeAny parameter to false by default for accessibility. By @ SethFalco in #1806

    Bug Fixes

    • removeRasterImages, removes inline JPEG images. By @ abejfehr in #1742
    • cleanupIds, correctly handle when 2 IDs have been referenced in a single attribute. By @ SethFalco in #1795
    • cleanupIds, correctly handle when we've encountered a reference to a node that doesn't exist. By @ SethFalco in #1817
    • inlineStyles, treat style prop keys as case-insensitive. By @ SethFalco in #1797
    • inlineStyles, remove all classes in multiclass selector. By @ SethFalco in #1801
    • inlineStyles, ignore empty CSS blocks instead of adding empty style attribute. By @ SethFalco in #1823
    • minifyStyles, removes unused class selectors when the document has no classes. By @ SethFalco in #1800
    • prefixIds, reuse the same prefix when encountering an ID multiple times. By @ SethFalco in #1814
    • removeHiddenElems, stops removing non-rendering elements like masks. By @ SethFalco in #1793
    • reusePaths, creates a new ID if the current one is referenced by another element. By @ SethFalco in #1784
    • reusePaths, removes redundant defs children after optimization. By @ SethFalco in #1785
    • reusePaths, stops duplicating attributes into the shared definition. By @ SethFalco in #1791
    • Don't crash on a null, undefined, or empty plugin. Instead, log a warning and ignore it. By @ SethFalco in #1128

    SVG Optimization

    Performance

    Chores

@snyk-io
feat: upgrade svgo from 1.3.2 to 3.3.2
444bf6e 
Snyk has created this PR to upgrade svgo from 1.3.2 to 3.3.2.

See this package in npm:
svgo

See this project in Snyk:
https://app.snyk.io/org/cachiman/project/6fb5ff98-b39a-43d8-b237-9513d9038267?utm_source=github-cloud-app&utm_medium=referral&page=upgrade-pr
@google-cla Google CLA
Copy link

google-cla bot commented Jul 17, 2024

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants