Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Security vulnerability with is-svg@^3.0.0
See original GitHub issueDescribe the bug
Dependabot alerts for a high severity vulnerability:
Dependabot cannot update is-svg to a non-vulnerable version The latest possible version that can be installed is 3.0.0 because of the following conflicting dependency:
react-scripts@4.0.3 requires is-svg@^3.0.0 via a transitive dependency on postcss-svgo@4.0.2
The earliest fixed version is 4.2.2.
CVE-2021-28092
Suggested dependabot remediation
Upgrade is-svg to version 4.2.2 or later. For example:
"dependencies": {
"is-svg": ">=4.2.2"
}
or…
"devDependencies": {
"is-svg": ">=4.2.2"
}
Issue Analytics
- State:
- Created 2 years ago
- Reactions:25
- Comments:11 (1 by maintainers)
Top Results From Across the Web
Known Exploited Vulnerabilities Catalog | CISA
A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected...
Read more >Vulnerability Metrics - NVD
The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity. CVSS is not a measure of...
Read more >Oracle Critical Patch Update Advisory - October 2022
Security vulnerabilities addressed by this Critical Patch Update affect the products ... Oracle Business Intelligence Enterprise Edition, versions 5.9.0.0, ...
Read more >Google Android : List of security vulnerabilities - CVE Details
# CVE ID CWE ID Publish Date Update Date Score Gained Access Level
1 CVE‑2022‑42544 20 2022‑12‑16 2022‑12‑21 0.0 None
2 CVE‑2022‑42543 125 2022‑12‑16 2022‑12‑21...
Read more >bootstrap@4.0.0 - Snyk Vulnerability Database
Direct Vulnerabilities. Known vulnerabilities in the bootstrap package. This does not include vulnerabilities belonging to this package's dependencies.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Should be fixed now. New postcss-svgo patch release dropped is-svg.
react-scripts: 4.0.3has"resolve-url-loader": "^3.1.2"dependency, which resolves to 3.1.3.resolve-url-loader: 3.1.3lists a dependency:"postcss": "7.0.21"which is a fixed version dependency, so I am unable to get rid ofpostcsssecurity issue even if i add"postcss": ">=8.2.10"in mypackage.json.Sounds like react-script needs some updates to fix all these vulnerabilities.