"High" severity audit alert because of css-what

[zackdotcomputer]

Report

Per this security advisory there is a "high risk" DoS risk from the dependency css-what that is fixed by upgrading it to 5.0.1 or higher.

This is appearing if you use svgr because of the dependency chain:

@svgr/webpack > @svgr/plugin-svgo > svgo > css-select > css-what

To Reproduce

Run npm audit on a project that includes @svgr/webpack as a dependency.

Expected behavior

No audit warning should appear

Proposed resolution

I've opened an issue in svgo to resolve the dependency issue there. Once that is closed, the dependency on svgo in @svgr/plugin-svgo should also be updated.

This is likely not that much of a risk since a DoS attack via a dev-dependency used during build is essentially a non-risk, so it's low priority. But, it is causing a scary angry audit risk that might scare off new developers, so I figured it was worth opening this nonetheless.

[open-collective-bot]

Hey @zackdotcomputer 👋,
Thank you for opening an issue. We'll get back to you as soon as we can.
Please, consider supporting us on Open Collective. We give a special attention to issues opened by backers.
If you use SVGR at work, you can also ask your company to sponsor us ❤️.

[gicontz]

Same issue here!

[igloude]

Thanks for opening this one - we're looking for the same thing here!

[ntucker]

Related: #537

[Mister-Hope]

Any updates?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[zackdotcomputer]

This issue is still active and will be solved by #565

[gregberge]

Fixed in #591