🚨 [security] Update svgo 3.0.0 → 3.3.3 (minor)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ svgo (3.0.0 → 3.3.3) · Repo · Changelog

Security Advisories 🚨

🚨 SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)

Summary

SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory.

Details

The upstream XML parser (sax) doesn't interpret custom XML entities by default. We pattern matched custom XML entities from the DOCTYPE, inserting them into parser.ENTITIES, and enabled unparsedEntities. This gives us the desired behavior of supporting SVGs with entities declared in the DOCTYPE.

However, entities can reference other entities, which can enable small SVGs to explode exponentially when we try to parse them.

Proof of Concept

import { optimize } from 'svgo';
/** Presume that this string was obtained in some other way, such as network. */

const original = </span> <span class="pl-s">  &lt;?xml version="1.0"?&gt;</span> <span class="pl-s">  &lt;!DOCTYPE lolz [</span> <span class="pl-s">  &lt;!ENTITY lol "lol"&gt;</span> <span class="pl-s">  &lt;!ELEMENT lolz (#PCDATA)&gt;</span> <span class="pl-s">  &lt;!ENTITY lol1 "&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;&amp;lol;"&gt;</span> <span class="pl-s">  &lt;!ENTITY lol2 "&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;&amp;lol1;"&gt;</span> <span class="pl-s">  &lt;!ENTITY lol3 "&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;&amp;lol2;"&gt;</span> <span class="pl-s">  &lt;!ENTITY lol4 "&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;&amp;lol3;"&gt;</span> <span class="pl-s">  &lt;!ENTITY lol5 "&amp;lol4;&amp;lol4;&amp;lol4;&amp;lol4;&amp;lol4;&amp;lol4;&amp;lol4;&amp;lol4;&amp;lol4;&amp;lol4;"&gt;</span> <span class="pl-s">  &lt;!ENTITY lol6 "&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;&amp;lol5;"&gt;</span> <span class="pl-s">  &lt;!ENTITY lol7 "&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;&amp;lol6;"&gt;</span> <span class="pl-s">  &lt;!ENTITY lol8 "&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;&amp;lol7;"&gt;</span> <span class="pl-s">  &lt;!ENTITY lol9 "&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;&amp;lol8;"&gt;</span> <span class="pl-s">  ]&gt;</span> <span class="pl-s">  &lt;lolz&gt;&amp;lol9;&lt;/lolz&gt;</span> <span class="pl-s">;
optimize(original);

Impact

If SVGO is run on untrusted input (i.e., user uploaded to server-side application), then the untrusted SVG can effectively stall or crash the application with an SVG < 1 KB in size.

It's unlikely to impact users who just use SVGO locally on their own SVGs or in build pipelines.

Patches

SVGO has patched v4.0.1, v3.3.3, and v2.8.1! However, it's strongly recommended to upgrade to v4 regardless, as previous versions are not officially supported anymore.

Workarounds

== 4.0.0

For v4, users do not specifically have to upgrade SVGO, though it is recommended to do so. A package manager can be used to upgrade sax recursively:

For example:

yarn up -R sax

New options were introduced upstream which makes the way SVGO parses SVGs safe by default.

>= 2.1.0, <= 3.3.2

Users of v3 and v2 will have to take manual action. If users can't upgrade, they may be able to work around this as long as the project doesn't require support for custom XML entities, though it's not a simple flag.

Parse the DOCTYPE directly and check for the presence of custom entities. If entities are present, throw/escape before passing them to SVGO.

+ import SAX from 'sax';
  import { optimize } from 'svgo';
- const original =</span> <span class="pl-mi1"><span class="pl-mi1">+</span> let original = 

<?xml version="1.0"?>

<!DOCTYPE lolz [

<!ENTITY lol "lol">

<!ELEMENT lolz (#PCDATA)>

<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">

<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">

<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">

<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">

<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">

<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">

<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">

<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">

<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">

]>

<lolz>&lol9;</lolz>

`;
+ const parser = SAX.parser();

+ /** @param {string} doctype */

+ parser.ondoctype = (doctype) => {

+   original = original.replace(doctype, '');

+ }

+ parser.write(original);
optimize(original);

Resources

• Wikipedia: Billion laughs attack

Release Notes

3.3.3

What's Changed

Dependencies

• Migrates from our unsupported fork of sax (@trysound/sax) to the upstream version of sax (sax).

Bug Fixes

• No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

	v3.3.2	v3.3.3	Delta
svgo.browser.js	910.9 kB	912.9 kB	⬆️ 2 kB

Support

SVGO v3 is not officially supported, please consider upgrading to SVGO v4 instead. We've backported this fix as there are security implications, but there is no commitment to do this for more complex changes in future.

Consider reading our Migration Guide from v3 to v4 which should ease the process.

3.3.2

Notice

An update on what happened with v3.3.0 and v3.3.1. While we have retained CJS support, the migration to EMS has changed the acceptable ways to import SVGO, in ways that users depended on before. This effectively made SVGO v3 a breaking change.

Rather than resolve or workaround these differences, we've opted to release SVGO v3.3.2, which is effectively a revert to v3.2.0, and deprecate versions v3.3.0 and v3.3.1. We'll then proceed to work on releasing v4 which will document the breaking changes, and feature further breaking changes that were slated for v4, like disabling removeViewBox by default.

Before the v4.0.0 release, I'll put more focus on testing and use release candidates, just to help make the release go smoothly! 👍🏽

Sorry for the headache, and thanks for your patience.

3.3.0

Deprecated

This release introduced breaking changes, which have been reverted in v3.3.2. The bug fixes will be reintroduced in v4.0.0.

What's Changed

ESM

SVGO is now a dual package, serving for both Common JS and ESM usage. We believe there shouldn't be any problems, especially as SVGO as largely stateless, but feel free to open an issue if you encounter problems with this.

To be explicit, this is not a breaking change, and SVGO should continue to work in Common JS projects!

Thanks to @jdufresne for doing the bulk of the work.

Default Behavior

• convertColors, now converts all references to colors excluding references to IDs to lowercase. This can be disabled by setting convertCase to false.

Bug Fixes

• cleanupIds, treat both URI encoded and non-URI encoded IDs as the same. By @liuweifeng in #1982
• collapseGroups, check styles as well as attributes. By @johnkenny54 in #1952
• collapseGroups, move attributes atomically. By @johnkenny54 in #1930
• convertPathData, fix q control point when item is removed. By @KTibow in #1927
• convertPathData, preserve vertex for markers only paths. By @SethFalco in #1967
• mergePaths, don't merge paths if attributes/styles depend depend on the nodes bounding box. By @johnkenny54 in #1964
• moveElemsAttrsToGroups, no longer moves the transforms if group has the filter attribute. By @johnkenny54 in #1933
• prefixIds, fixed issue where some IDs were not prefixed when style tag contained XML comments. By @john-neptune in #1942
• removeHiddenElems, don't remove node if child element has a referenced ID. By @johnkenny54 in #1925
• removeHiddenElems, treat path[opacity=0] as a non-rendering node. By @johnkenny54 in #1948
• removeUselessDefs, don't remove node if child element has an ID. By @johnkenny54 in #1923
• When stringifying path data, include a space before numbers represented in scientific notation. By @johnkenny54 in #1961
• No longer crashes when the output (-o argument) ends with a trailing slash to a location that didn't exist. By @SethFalco in #1954

SVG Optimization

• convertColors, introduce parameter to convert colors to common casing (lowercase/uppercase). By @JayLeininger in #1692
• removeDeprecatedAttrs, new plugin that is disabled by default to remove SVG attributes that are deprecated. By @jdufresne in #1869

Metrics

Before and after using vectors from various sources, with the default preset of each respective version:

SVG	Original	v3.2.0	v3.3.0	Delta
Arch Linux Logo	9.529 KiB	4.115 KiB	4.097 KiB	⬇️ 0.018 KiB
Blobs	50.45 KiB	42.623 KiB	42.609 KiB	⬇️ 0.014 KiB
Isometric Madness	869.034 KiB	540.582 KiB	540.073 KiB	⬇️ 0.509 KiB
tldr-pages Banner	2.071 KiB	1.07 KiB	1.07 KiB
Wikipedia Logo	161.551 KiB	111.668 KiB	111.668 KiB

Before and after of the browser bundle of each respective version:

	v3.2.0	v3.3.0	Delta
svgo.browser.js	910.9 kB	753.0 kB	⬇️ 157.9 kB

3.2.0

What's Changed

Bug Fixes

• Convert Path Commands, fix instances were q was incorrectly converted to t. By @KTibow in #1889
• Convert Transform, fix for some transforms that weren't being converted correctly. By @SethFalco in #1916

SVG Optimization

• Convert Path Commands, improves closing paths and how we determine if to use absolute or relative commands. By @KTibow in #1867
• Convert Path Commands, round arc or convert to lines based on the sagitta, can be disabled by setting smartArcRounding to false. By @KTibow in #1873
• Convert Path Commands, convert cubic Bézier curves to quadratic Bézier curves where possible, can be disabled by setting convertToQ to false. By @KTibow in #1889

Performance

• Merge Paths, refactor for performance with large files. By @mozzie in #1764 and #1904
• Convert Path Commands, refactor #stringifyPathData for performance. By @SethFalco in #1900
• Use Set instead of Array for faster lookups. By @SethFalco in #1899

Metrics

Before and after using vectors from various sources, with the default preset of each respective version:

SVG	Original	v3.1.0	v3.2.0	Delta
Arch Linux Logo	9.529 KiB	4.162 KiB	4.115 KiB	⬇️ 0.047 KiB
Blobs	50.45 KiB	42.949 KiB	42.623 KiB	⬇️ 0.326 KiB
Isometric Madness	869.034 KiB	550.153 KiB	540.582 KiB	⬇️ 9.571 KiB
tldr-pages Banner	2.071 KiB	1.07 KiB	1.07 KiB
Wikipedia Logo	161.551 KiB	116 KiB	111.668 KiB	⬇️ 4.332 KiB

Before and after of the browser bundle of each respective version:

	v3.1.0	v3.2.0	Delta
svgo.browser.js	660.9 kB	910.9 kB	⬆️ 250 kB

3.1.0

What's Changed

Bug Fixes

• Prefix IDs, correctly prefix IDs when <style> tag contains XML comments. By @john-neptune in #1736
• Remove Hidden Elements, improve handling of definitions (<defs>), namely when <defs> are defined at the end of the document. By @KTibow in #1879
• Cleanup Enable Background, clean up inline-styles too. By @SethFalco in #1866
• Cleanup IDs, handle URI encoded references properly. By @SethFalco in #1880
• Inline Styles, no longer crashes on non-inlined selectors with a pseudo-class. By @SethFalco in #1865
• Improve handling of URL references in reference attributes (url('#a')) across various plugins. By @SethFalco in #1881

SVG Optimization

• Remove Unknowns and Defaults, now removes defaults in XML declarations too, enabled by default and can be toggled with defaultMarkupDeclarations. By @SethFalco in #1872

Metrics

Before and after using vectors from various sources, with the default preset of each respective version:

SVG	Original	v3.0.5	v3.1.0	Delta
Arch Linux Logo	9.529 KiB	4.608 KiB	4.162 KiB	⬇️ 0.446 KiB
Blobs	50.45 KiB	42.949 KiB	42.949 KiB
Isometric Madness	869.034 KiB	550.153 KiB	550.153 KiB
tldr-pages Banner	2.071 KiB	1.07 KiB	1.07 KiB
Wikipedia Logo	161.551 KiB	117.146 KiB	116 KiB	⬇️ 1.146 KiB

Before and after of the browser bundle of each respective version:

	v3.0.5	v3.1.0	Delta
svgo.browser.js	657.5 kB	660.9 kB	⬆️ 3.4 kB

3.0.5

What's Changed

Bug Fixes

• Cleanup IDs, correctly handle references to other nodes in animations. By @KTibow in #1862
• Convert Path Commands, fix issue when removing redundant Z between mergable M/m commands. By @KTibow in #1856
• Convert Path Commands, adhere to error/precision in z conversions. By @KTibow in #1842
• Remove Empty Containers, skip if parent node is <switch>, as empty containers can be used for attributes like requiredFeatures. By @vincentbernat in #1747
• Remove Hidden Elements, when removing a hidden definition, also remove nodes that reference it. By @SethFalco in #1852
• Output the optimization stats (profit) in red if the file size increased. By @gimler in #1162
• Type definition files now correctly use the .d.ts file extension instead of .ts. By @Exotelis in #1780

Chores

• Improved exported types for the #loadConfig method. By @nuintun in #1844

Metrics

Before and after using vectors from various sources, with the default preset of each respective version:

SVG	Original	v3.0.4	v3.0.5	Delta
Arch Linux Logo	9.529 KiB	4.735 KiB	4.608 KiB	⬇️ 0.127 KiB
Blobs	50.45 KiB	42.949 KiB	42.949 KiB
Isometric Madness	869.034 KiB	550.593 KiB	550.153 KiB	⬇️ 0.44 KiB
tldr-pages Banner	2.071 KiB	1.07 KiB	1.07 KiB
Wikipedia Logo	161.551 KiB	117.152 KiB	117.146 KiB	⬇️ 0.006 KiB

Before and after of the browser bundle of each respective version:

	v3.0.4	v3.0.5	Delta
svgo.browser.js	656.9 kB	657.5 kB	⬆️ 0.6 kB

3.0.4

Includes various bug fixes for existing plugins and a new optimization. Also splits removeXMLNS, which removed XLink, into two separate plugins, removeXMLNS and removeXlink.

What's Changed

Default Behavior

• Remove XML Namespace, no longer removes the XLink (xmlns:xlink) namespace. If that is desirable, you should enable the new Remove XLink (removeXlink) plugin, which does more while being safer. By @TrySound and @SethFalco in #1535

Bug Fixes

• Convert Path Commands, ignore instances where transform applied via style tag. By @SethFalco in #1830
• Inline Styles, inline properties with the same specificity in the order that they appear in the stylesheet. By @SethFalco in #1831
• Inline Styles, don't remove class or id from node if it's traversed in another CSS selector. By @SethFalco in #1832 and #1836
• Don't trim pre elements in foreignObject. By @SethFalco in #1796
• Don't crash when encountering @-webkit-keyframes in <style> node. By @SethFalco in #1826

SVG Optimization

• Convert Path Commands, convert to z command if going back to initial position, or drop z if redundant. By @KTibow in #1822
• Inline Styles, when inlining a CSS property that's already declared in a presentation attribute of the node, drop the attribute. By @SethFalco in #1829
• Remove XLink, new plugin that removes the XLink (xmlns:xlink) namespace and migrates from XLink attributes to the SVG 2 equivalent. Disabled by default. By @TrySound and @SethFalco in #1535

Metrics

Before and after using vectors from various sources, with the default preset of each respective version:

SVG	Original	v3.0.3	v3.0.4	Delta
Arch Linux Logo	9.529 KiB	4.738 KiB	4.735 KiB	⬇️ 0.003 KiB
Blobs	50.45 KiB	42.949 KiB	42.949 KiB
Isometric Madness	869.034 KiB	550.699 KiB	550.593 KiB	⬇️ 0.106 KiB
tldr-pages Banner	2.071 KiB	1.07 KiB	1.07 KiB
Wikipedia Logo	161.552 KiB	118.441 KiB	117.152 KiB	⬇️ 1.289 KiB

Before and after of the browser bundle of each respective version:

	v3.0.3	v3.0.4	Delta
svgo.browser.js	651.7 kB	656.9 kB	⬆️ 5.2 kB

3.0.3

Includes various bug fixes and optimizations for existing plugins.

We're also revamped the documentation for the project. You can find it on svgo.dev!
The frontend for svgo.dev is maintained in svg/svgo.dev, contributions are welcome.

What's Changed

Settings

• Remove Comments, introduces preservePatterns parameter. Preserves legal comments by default, same as the previous behavior, but can now be overridden. By @SethFalco in #1812
• Remove Description, set the removeAny parameter to false by default for accessibility. By @SethFalco in #1806

Bug Fixes

• Remove Raster Images, removes inlined JPEG images. By @abejfehr in #1742
• Cleanup IDs, correctly handle when 2 IDs have been referenced in a single attribute. By @SethFalco in #1795
• Cleanup IDS, correctly handle when we've encountered a reference to a node that doesn't exist. By @SethFalco in #1817
• Inline Styles, treat style prop keys as case-insensitive. By @SethFalco in #1797
• Inline Styles, remove all classes in multiclass selector. By @SethFalco in #1801
• Inline Styles, ignore empty CSS blocks instead of adding empty style attribute. By @SethFalco in #1823
• Minify Styles, removes unused class selectors when the document has no classes. By @SethFalco in #1800
• Prefix IDs, reuse the same prefix when encountering an ID multiple times. By @SethFalco in #1814
• Remove Hidden Elements, stops removing non-rendering elements like masks. By @SethFalco in #1793
• Reuse Paths, creates a new ID if the current one is referenced by another element. By @SethFalco in #1784
• Reuse Paths, removes redundant defs children after optimization. By @SethFalco in #1785
• Reuse Paths, stops duplicating attributes into the shared definition. By @SethFalco in #1791
• Don't crash on a null, undefined, or empty plugin. Instead, log a warning and ignore it. By @SethFalco in #1128

SVG Optimization

• Convert Transform, omit spaces between functions. By @SethFalco in #1802
• Remove Scripts, removes callbacks (on*) and href attributes with javascript: URIs. By @cakeinpanic and @SethFalco in #1807, #1818, #1819, #1820
• Convert One-Stop Gradients, new plugin to convert gradients with one stop to a solid color, disabled by default. By @SethFalco in #1790

Performance

• Various optimizations for path handling. By @marvinhagemeister in #1716 and #1717

Chores

• Revise the README. By @ADTC in #1731
• Fix dead link to postcss-svgo in README. By @Lehoczky in #1770
• Replace webpack loader library in README as previous was deprecated. By @tanyabouman in #1771

Metrics

Before and after using vectors from various sources, with the default preset of each respective version:

SVG	Original	v3.0.2	v3.0.3	Delta
Arch Linux Logo	8.584 KiB	4.748 KiB	4.747 KiB	⬇️ 0.001 KiB
Blobs	50.45 KiB	42.949 KiB	42.949 KiB
Isometric Madness	869.034 KiB	550.829 KiB	550.699 KiB	⬇️ 0.13 KiB
tldr-pages Banner	2.071 KiB	1.07 KiB	1.07 KiB
Wikipedia Logo	161.552 KiB	118.441 KiB	118.441 KiB

Before and after of the browser bundle of each respective version:

	v3.0.2	v3.0.3	Delta
svgo.browser.js	643.5 kB	651.7 kB	⬆️ 8.2 kB

3.0.2

Installing @types/csso no longer required

3.0.1

• store exposed types only in .d.ts files, no longer need to enable js checking
• update svgo.browser.js
• fixed "begin" attribute cleanup

Thanks to @Kreeg, @XhmikosR and @TrySound

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 sax (added, 1.5.0)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3c98828

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR