"High" severity audit alert because of `css-what`

Report

Per this security advisory there is a “high risk” DoS risk from the dependency css-what that is fixed by upgrading it to 5.0.1 or higher.

This is appearing if you use svgr because of the dependency chain:

@svgr/webpack > @svgr/plugin-svgo > svgo > css-select > css-what

To Reproduce

Run npm audit on a project that includes @svgr/webpack as a dependency.

Expected behavior

No audit warning should appear

Proposed resolution

I’ve opened an issue in svgo to resolve the dependency issue there. Once that is closed, the dependency on svgo in @svgr/plugin-svgo should also be updated.

This is likely not that much of a risk since a DoS attack via a dev-dependency used during build is essentially a non-risk, so it’s low priority. But, it is causing a scary angry audit risk that might scare off new developers, so I figured it was worth opening this nonetheless.