Updating to svgo ^1.0.3 and synchronizing promise

[Trainbird]

This is a fully working update to svgo@^1.0.3, closing #34 on the way.

Closes #34. Closes #44. Closes #45.

[michaeljonathanblack]

Why was this never verified or merged?

[ljharb]

this is not a package i'm interested in using; making async things sync is a very dangerous choice to make in JS.

[ljharb]

@Trainbird can this PR be updated to update svgo alone?

[Trainbird]

Maybe Babel 7 solves the issue ... this PR in its original idea (synchronizing Promises with a 3rd party plugin) is (understandably) not compliant with package policy.

[mengqing]

Any chance that this PR gets merged or simply just update svgo alone?

The severity of the npm audit on js-yaml -> svgo is now updated to "High - Code Injection" from the "Moderate - Denial of Service"

[CarlosOlave]

any updates on this PR?

ya'll

[ljharb]

@CarlosOlave it actually is zero severity since it’s a false positive for our use of svgo.

[darakian]

Any update on this PR? I'd much rather not bundle known exploits.

[ljharb]

@darakian this is a babel transform, so it shouldn't be bundled in any case, nor is there any known exploit that actually applies to this package.

[darakian]

@ljharb Is there some public analysis that I can read which supports that conclusion?

[ljharb]

The CVE itself. The attack vector here would have to be, you’re transpiling your own malicious svgs. When the solution is “don’t attack yourself”, it shouldn’t take much convincing that there’s no actual vulnerability.

[darakian]

That does assume that all inputs are known to be good though. In my case that's fine, but as a general stance I don't think that's good.

[ljharb]

All inputs to any Babel transform are known to be good, or else it wouldn’t be safe to transform them.

To reiterate, I’d prefer to upgrade, but Babel transforms are sync and the latest version of svgo is async.

[mverissimo]

Any update about this PR?

[ljharb]

There won’t be any updates until svg/svgo#1015 is addressed.