Update dependency svgo to v4.0.1 [SECURITY] by renovate[bot] · Pull Request #6124 · jpmorganchase/salt-ds

renovate · 2026-03-04T23:14:32Z

This PR contains the following updates:

Package	Change	Age	Confidence
svgo (source)	`4.0.0` → `4.0.1`

GitHub Vulnerability Alerts

CVE-2026-29074

Summary

SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory.

Details

The upstream XML parser (sax) doesn't interpret custom XML entities by default. We pattern matched custom XML entities from the DOCTYPE, inserting them into parser.ENTITIES, and enabled unparsedEntities. This gives us the desired behavior of supporting SVGs with entities declared in the DOCTYPE.

However, entities can reference other entities, which can enable small SVGs to explode exponentially when we try to parse them.

Proof of Concept

import { optimize } from 'svgo';

/** Presume that this string was obtained in some other way, such as network. */
const original = `
  <?xml version="1.0"?>
  <!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ELEMENT lolz (#PCDATA)>
  <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
  ]>
  <lolz>&lol9;</lolz>
`;

optimize(original);

Impact

If SVGO is run on untrusted input (i.e., user uploaded to server-side application), then the untrusted SVG can effectively stall or crash the application with an SVG < 1 KB in size.

It's unlikely to impact users who just use SVGO locally on their own SVGs or in build pipelines.

Patches

SVGO has patched v4.0.1, v3.3.3, and v2.8.1! However, it's strongly recommended to upgrade to v4 regardless, as previous versions are not officially supported anymore.

Workarounds

== 4.0.0

For v4, users do not specifically have to upgrade SVGO, though it is recommended to do so. A package manager can be used to upgrade sax recursively:

For example:

yarn up -R sax

New options were introduced upstream which makes the way SVGO parses SVGs safe by default.

>= 2.1.0, <= 3.3.2

Users of v3 and v2 will have to take manual action. If users can't upgrade, they may be able to work around this as long as the project doesn't require support for custom XML entities, though it's not a simple flag.

Parse the DOCTYPE directly and check for the presence of custom entities. If entities are present, throw/escape before passing them to SVGO.

+ import SAX from 'sax';
  import { optimize } from 'svgo';

- const original =`
+ let original = `
    <?xml version="1.0"?>
    <!DOCTYPE lolz [
    <!ENTITY lol "lol">
    <!ELEMENT lolz (#PCDATA)>
    <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
    <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
    <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
    <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
    <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
    <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
    <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
    <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
    <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
    ]>
    <lolz>&lol9;</lolz>
  `;

+ const parser = SAX.parser();
+ /** @&#8203;param {string} doctype */
+ parser.ondoctype = (doctype) => {
+   original = original.replace(doctype, '');
+ }
+ parser.write(original);

  optimize(original);

Resources

Wikipedia: Billion laughs attack

Release Notes

svg/svgo (svgo)

`v4.0.1`

Compare Source

What's Changed

Dependencies

Sets minimum version of sax (XML parser) to v1.5.0, which improves built-in guards against entity expansion.

Bug Fixes

removeEmptyContainers, removed leftover <use> elements referencing an empty container that were removed. By @johnkenny54 in #2051
removeUnknownsAndDefaults, don't remove attributes if they're referenced in attribute selectors (CSS). By @SethFalco in #2144

Performance

convertPathData, refactor to reduce redundant equality checks. By @Lorfdail in #1764 and #2135
removeHiddenElems, compute styles lazily. By @Lorfdail in #1764 and #2135

Other Changes

Plugins no longer include if they are enabled or disabled by default, as this was written inconsistently. The --show-plugins argument appends the presets a plugin is in to the end of the line. By @viralcodex in #2174
Plugin/preset types to enforce the name start with preset- if it is a preset (collection of plugins). By @SethFalco in #2178

Metrics

Before and after of the browser bundle of each respective version:

	v4.0.0	v4.0.1	Delta
svgo.browser.js	780.2 kB	781.5 kB	⬆️ 1.3 kB

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

vercel · 2026-03-04T23:14:34Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
saltdesignsystem	Ready	Preview, Comment	Mar 4, 2026 11:18pm

changeset-bot · 2026-03-04T23:14:38Z

⚠️ No Changeset found

Latest commit: 692e39d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Update dependency svgo to v4.0.1 [SECURITY]

692e39d

vercel bot deployed to Preview March 4, 2026 23:18 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency svgo to v4.0.1 [SECURITY]#6124

Update dependency svgo to v4.0.1 [SECURITY]#6124
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-svgo-vulnerability

renovate bot commented Mar 4, 2026

Uh oh!

vercel bot commented Mar 4, 2026 •

edited

Loading

Uh oh!

changeset-bot bot commented Mar 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate bot commented Mar 4, 2026

GitHub Vulnerability Alerts

CVE-2026-29074

Summary

Details

Proof of Concept

Impact

Patches

Workarounds

== 4.0.0

>= 2.1.0, <= 3.3.2

Resources

Release Notes

v4.0.1

What's Changed

Dependencies

Bug Fixes

Performance

Other Changes

Metrics

Configuration

Uh oh!

vercel bot commented Mar 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

changeset-bot bot commented Mar 4, 2026

⚠️ No Changeset found

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

`v4.0.1`

vercel bot commented Mar 4, 2026 •

edited

Loading