Security vulnerability with is-svg@^3.0.0

[Juandkpa]

Describe the bug

Dependabot alerts for a high severity vulnerability:

Dependabot cannot update is-svg to a non-vulnerable version
The latest possible version that can be installed is 3.0.0 because of the following conflicting dependency:

react-scripts@4.0.3 requires is-svg@^3.0.0 via a transitive dependency on postcss-svgo@4.0.2
The earliest fixed version is 4.2.2.

CVE-2021-28092

Suggested dependabot remediation

Upgrade is-svg to version 4.2.2 or later. For example:

"dependencies": {
  "is-svg": ">=4.2.2"
}

or…

"devDependencies": {
  "is-svg": ">=4.2.2"
}

[AviVahl]

Should be fixed now. New postcss-svgo patch release dropped is-svg.

[jiridanek]

Should be fixed now. New postcss-svgo patch release dropped is-svg.

Thanks, I just did npm update postcss-svgo --depth=5 --dev

[cmacdonnacha]

Hey, any idea when this will be addressed or is there a workaround for now?

[nj314]

Hey, any idea when this will be addressed or is there a workaround for now?

@cmacdonnacha This was fixed by a bugfix release from postcss-svgo. Bugfix releases can be automatically picked up by your application without a corresponding release from react-scripts. You can either delete and rebuild your package-lock.json to pick it up, or as suggested by @jiridanek, run npm update postcss-svgo --depth=5 --dev.

[cmacdonnacha]

Excellent thanks @nj314. Will give that a go.

EDIT: This worked: npm update postcss-svgo --depth=5 --dev

[ziaulrehman40]

not sure why, but this npm update postcss-svgo --depth=5 --dev is not doing anything for me. 🤔

[cmacdonnacha]

A new vulnerability has been found on postcss too.

Remediation
Upgrade postcss to version 8.2.10 or later. For example:

"dependencies": {
  "postcss": ">=8.2.10"
}
or…
"devDependencies": {
  "postcss": ">=8.2.10"
}

[ziaulrehman40]

react-scripts: 4.0.3 has "resolve-url-loader": "^3.1.2" dependency, which resolves to 3.1.3.
resolve-url-loader: 3.1.3 lists a dependency: "postcss": "7.0.21" which is a fixed version dependency, so I am unable to get rid of postcss security issue even if i add "postcss": ">=8.2.10" in my package.json.

Sounds like react-script needs some updates to fix all these vulnerabilities.