Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
sub dependency is vulnerable
See original GitHub issueHi
You might want to upgrade svgo for the following flaw:
> $ npm audit ⬡ 10.13.0 [±master ●]
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ js-yaml │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.13.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ babel-plugin-inline-react-svg [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ babel-plugin-inline-react-svg > svgo > js-yaml │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/788 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Issue Analytics
- State:
- Created 4 years ago
- Comments:7
Top Results From Across the Web
Vulnerable Dependency Management Cheat Sheet
If the vulnerably impact a transitive dependency then the action will be taken on the direct dependency of the project because acting on...
Read more >What are Vulnerable Dependencies?
When a security vulnerability is found in a third-party dependency, and a new version with a fix is released, it is the responsibility...
Read more >Fixing Transitive Dependency Vulnerabilities Best Practices
Today in this article, we will cover guidelines on Fixing Transitive Dependency Vulnerabilities. Today in this article, we will cover below ...
Read more >What are direct and indirect dependencies? - Snyk Support
Known vulnerabilities can be introduced from direct dependencies or indirect ("deep" / "chained" / "transitive") dependencies: ... Snyk analyzes the full ...
Read more >Find and Fix Transitive Dependency Version Upgrade ...
Find and Fix Transitive Dependency Version Upgrade/Conflicts in Maven · Step 1) Find the parent dependency which brings about the vulnerability · Step...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
This isn’t actually a vulnerability for this package (npm audit has lots of false positives).
See #35 for why upgrading is prohibitively difficult.
No, that’s not what the audit report is about - it’s about the svg being transformed being able to inject malicious code. Since you’re transforming your own svgs, all you have to do is not put malicious code in them 😃