Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): bump postcss-svgo dep of svgo from v2.3.0 to 2.3.1 #1152

Merged
merged 1 commit into from Jun 27, 2021
Merged

chore(deps): bump postcss-svgo dep of svgo from v2.3.0 to 2.3.1 #1152

merged 1 commit into from Jun 27, 2021

Conversation

sigveio
Copy link
Collaborator

@sigveio sigveio commented Jun 26, 2021

This pull request aims to bump postcss-svgo's dependency of svgo from ^2.3.0 to ^2.3.1

svgo version 2.3.1 bumps its dependency on css-select from ^3.1.2 to ^4.1.3 in order to bump the transitive dependency css-what from 4.x to ^5.0.1. This addresses a ReDoS security vulnerability present in prior versions.

@sigveio
chore(deps): bump postcss-svgo dep of svgo from v2.3.0 to 2.3.1
846dde1 
svgo version 2.3.1 bumps transitive dependency css-what from 4.x to 5.x to address a ReDoS security vulnerability present in versions prior to this. (See svg/svgo/pull/1485)
@codecov-commenter
Copy link

codecov-commenter commented Jun 27, 2021
edited

Codecov Report

Merging #1152 (846dde1) into master (2a0128c) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #1152   +/-   ##
=======================================
  Coverage   96.43%   96.43%           
=======================================
  Files         116      116           
  Lines        3592     3592           
  Branches     1054     1054           
=======================================
  Hits         3464     3464           
  Misses        119      119           
  Partials        9        9

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2a0128c...846dde1. Read the comment docs.

ludofischer
ludofischer approved these changes Jun 27, 2021
View reviewed changes
Copy link
Collaborator

@ludofischer ludofischer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. You do not need to wait for this to be released to be able to update svgo.

@ludofischer ludofischer merged commit ef098b1 into cssnano:master Jun 27, 2021
@ludofischer
Copy link
Collaborator

Notice that with this update svgo might reject invalid code that it previously processed (see the svgo PR svg/svgo#1485)

@sigveio sigveio deleted the postcss-svgo-update-dep branch June 27, 2021 14:44
@aseques aseques mentioned this pull request Jun 30, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ludofischer ludofischer ludofischer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@sigveio @codecov-commenter @ludofischer