"High" Severity Audit from dependency css-select and css-what

[zackdotcomputer]

Describe the bug
Per this advisory installations that include svgo now cause an npm audit warning to appear because of the dependency on 3.x versions of css-select, which in turn depends on a version of css-what older than 5.0.1.

To Reproduce

1. Add svgo as a dependency.
2. Run npm audit

Expected behavior
No audit should appear

Proposed fix
Upgrade the dependency on css-select to be ^4.1.3 since 4.1.3 bumps their dependency on css-what to 5.0.1 and fixes this issue.

[SymbioticKilla]

Comment from css-what autor: fb55/css-what#503
There will be no 4.x release to fix this problem => Upgrade to 5.0.1

[zackdotcomputer]

@SymbioticKilla Yes but as I noted in my comment this project doesn't depend directly on css-what - it depends on css-select which has in turn already updated to css-what@5.0.1.

So for this project, the required action is to update the dependency on css-select to 4.1.3 or higher to pull in the new css-what

[sergei-maertens]

I'm investigating the dependency tree as well (via cssnano) and also ended up at svgo updating the css-select dependency. @zackdotcomputer's suggestion seems the right one.

[SymbioticKilla]

@zackdotcomputer I just noticed that there will be no fixed version for css-what in v4 branch(4.0.1 etc.) => it is up to svgo to fix the problem with major version update of css-select.

[mindctrl]

Existing PR here: #1485

[silkfire]

@TrySound @GreLI Any ETA on this?

[khadervali]

@zackdotcomputer was saying correct, @SymbioticKilla he is not asking to upgrade somethinng in select-css, he want svgo has to update select-css package to 5.x.x, now the svgo is using select-css@^3.1.2.
thier is an vulnerability reference as well CVE-2021-33587 (high)

+1

[SymbioticKilla]

@khadervali Actually, I have agreed in my both messages that is up to svgo. I have posted an evidence that svgo should not wait for css-what author for backport.