-
-
Notifications
You must be signed in to change notification settings - Fork 26.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerability with is-svg@^3.0.0 #10762
Comments
Should be fixed now. New postcss-svgo patch release dropped is-svg. |
Thanks, I just did |
Hey, any idea when this will be addressed or is there a workaround for now? |
@cmacdonnacha This was fixed by a bugfix release from |
Excellent thanks @nj314. Will give that a go. EDIT: This worked: |
not sure why, but this |
A new vulnerability has been found on
|
Sounds like react-script needs some updates to fix all these vulnerabilities. |
This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs. |
Still an issue. |
There is, and has not been, an actual vulnerability here. |
Describe the bug
Dependabot alerts for a high severity vulnerability:
Dependabot cannot update is-svg to a non-vulnerable version
The latest possible version that can be installed is 3.0.0 because of the following conflicting dependency:
[email protected]
requiresis-svg@^3.0.0
via a transitive dependency on[email protected]
The earliest fixed version is
4.2.2.
CVE-2021-28092
Suggested dependabot remediation
Upgrade is-svg to version 4.2.2 or later. For example:
or…
The text was updated successfully, but these errors were encountered: