Skip to content
This repository has been archived by the owner on Mar 17, 2023. It is now read-only.

Security vulnerability with css-what and glob-parent #349

Closed
hellmelt opened this issue Jun 14, 2021 · 1 comment
Closed

Security vulnerability with css-what and glob-parent #349

hellmelt opened this issue Jun 14, 2021 · 1 comment

Comments

@hellmelt
Copy link

yarn audit outputs a high risk for css-what, a dependency of image-webpack-loader:
image-webpack-loader > imagemin-svgo > svgo > css-select > css-what

in addition to the previously reported normalize-url and trim-newlines.

Furthermore, there is a moderate risk in glob-parent:
image-webpack-loader > imagemin > globby > fast-glob > glob-parent

@tcoopman
Copy link
Owner

These are all problems with deeper dependencies.

  1. I don't think these have any risks (how would you exploit this on a webpack loader?)
  2. I try to keep up to date with the dependencies, but some of them are not well maintained (see Consider switching to squoosh #353) so it's not easy to fix.
  3. Pull requests that fix these are always welcome.

I'm closing this, but feel free to open a PR that fixes them or I'm willing to reopen if you can at least give any indication how this can be a risk for a webpack loader.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants