chore(deps): update dependency svgo to v2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
svgo (source)	^1.3.2 → ^2.0.0

GitHub Vulnerability Alerts

CVE-2026-29074

Summary

SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory.

Details

The upstream XML parser (sax) doesn't interpret custom XML entities by default. We pattern matched custom XML entities from the DOCTYPE, inserting them into parser.ENTITIES, and enabled unparsedEntities. This gives us the desired behavior of supporting SVGs with entities declared in the DOCTYPE.

However, entities can reference other entities, which can enable small SVGs to explode exponentially when we try to parse them.

Proof of Concept

import { optimize } from 'svgo';

/** Presume that this string was obtained in some other way, such as network. */
const original = `
  <?xml version="1.0"?>
  <!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ELEMENT lolz (#PCDATA)>
  <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
  ]>
  <lolz>&lol9;</lolz>
`;

optimize(original);

Impact

If SVGO is run on untrusted input (i.e., user uploaded to server-side application), then the untrusted SVG can effectively stall or crash the application with an SVG < 1 KB in size.

It's unlikely to impact users who just use SVGO locally on their own SVGs or in build pipelines.

Patches

SVGO has patched v4.0.1, v3.3.3, and v2.8.1! However, it's strongly recommended to upgrade to v4 regardless, as previous versions are not officially supported anymore.

Workarounds

== 4.0.0

For v4, users do not specifically have to upgrade SVGO, though it is recommended to do so. A package manager can be used to upgrade sax recursively:

For example:

yarn up -R sax

New options were introduced upstream which makes the way SVGO parses SVGs safe by default.

>= 2.1.0, <= 3.3.2

Users of v3 and v2 will have to take manual action. If users can't upgrade, they may be able to work around this as long as the project doesn't require support for custom XML entities, though it's not a simple flag.

Parse the DOCTYPE directly and check for the presence of custom entities. If entities are present, throw/escape before passing them to SVGO.

+ import SAX from 'sax';
  import { optimize } from 'svgo';

- const original =`
+ let original = `
    <?xml version="1.0"?>
    <!DOCTYPE lolz [
    <!ENTITY lol "lol">
    <!ELEMENT lolz (#PCDATA)>
    <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
    <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
    <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
    <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
    <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
    <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
    <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
    <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
    <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
    ]>
    <lolz>&lol9;</lolz>
  `;

+ const parser = SAX.parser();
+ /** @&#8203;param {string} doctype */
+ parser.ondoctype = (doctype) => {
+   original = original.replace(doctype, '');
+ }
+ parser.write(original);

  optimize(original);

Resources

• Wikipedia: Billion laughs attack

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

---

Release Notes

svg/svgo (svgo)

v2.8.1

Compare Source

Deprecated

This release left *.test.js files in the package, which have been omitted in v2.8.2. Sorry for the noise!

What's Changed

Dependencies

• Migrates from our unsupported fork of sax (@​trysound/sax) to the upstream version of sax (sax).

Bug Fixes

• No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

	v2.8.0	v2.8.1	Delta
svgo.browser.js	587.2 kB	589.2 kB	⬆️ 2 kB

Support

SVGO v2 is not officially supported, please consider upgrading to SVGO v4 instead. We've backported this fix as there are security implications, but there is no commitment to do this for more complex changes in future.

Consider reading our Migration Guide from v2 to v3 and Migration Guide from v3 to v4 which should ease the process.

v2.8.0

Compare Source

If you enjoy SVGO and would like to support our work, consider sponsoring us directly via our OpenCollective.

Join us in our discord

Features and bug fixes

• added --no-color flag for testing purposes but you may find it useful (#​1588)
• handle url() in style attributes properly (#​1592)
• removeXMLNS plugin now removes xmlns:xlink attribute (#​1508)
• load .cjs configuration only with require to fix segfaults in linux (#​1605)

Refactorings

• simplified and covered with types svg stringifier (#​1593)
• migrated to visitor api and covered with types removeEmptyAttrs plugin (#​1594)
• migrated to visitor api and covered with types inlineStyles plugin (#​1601)
• migrated to picocolors (#​1606)

DX

I found some users are trying to enable plugins which are not part of default preset, for example

{
  name: 'preset-default',
  params: {
    overrides: {
      cleanupListOfValues: true
    }
  }
}

To fix this I made docs more concrete about plugin (5165ccb)
and introduced a warning when true is specified in overrides (cb7e9be).
Please give us feedback if you still have issues.

Thanks to @​IlyaSkriblovsky, @​devongovett, @​matheus1lva, @​omgovich, @​renatorib and @​TrySound

v2.7.0

Compare Source

If you enjoy SVGO and would like to support our work, consider sponsoring us directly via our OpenCollective.

Join us in our discord

ES Modules support

This release adds support for es modules in svgo.config.js when package.json type field is "module".
For projects with mixed cjs and esm svgo.config.mjs and svgo.config.cjs are also supported as fallback.

See #​1583

export default {
  plugins: [
    'preset-default'
  ]
}

Fixes

• added validation to removeAttrs plugin (#​1582)

Refactorings

Follwing plugins are migrated to the new visitor plugin api and covered with tsdoc

• collapseGroups (#​1572)
• mergeStyles (#​1575)
• moveElemsAttrsToGroup (#​1574)

Other internal changes

• covered svg parser with tsdoc (#​1584)
• avoided parentNode in style manager which makes us one step closer to releasing new plugin api publicly (#​1576)
• replaced colorette with nanocolors (#​1586)

Thanks to @​renatorib, @​matheus1lva, @​omgovich, @​deepsweet, @​ai, @​samouss and @​TrySound

v2.6.1

Compare Source

• fixed optimize(svg) usage without config (#​1573)
• added missing filter primitives to collections (#​1571)
• migrated to visitor plugin api and covered with tsdoc removeEmptyContainers plugin (#​1570)

Thanks to @​XhmikosR, @​thewilkybarkid, @​renatorib, @​matheus1lva, @​omgovich and @​TrySound

v2.6.0

Compare Source

If you enjoy SVGO and would like to support our work, consider sponsoring us directly via our OpenCollective.

We have some good stuff in this release

Better syntax errors (#​1553)

Before people struggled to figure out what and why happens with such cryptic error

Error: Error in parsing SVG: Unquoted attribute value
Line: 1
Column: 29
Char: 6
File: input.svg

This gives too little information when a lot of svgs are transformed.

New errors look like this, include context and point to exact location with the issue.
We hope this will solve many issues when dealing with bundlers and other tools integrations.

Error: SvgoParserError: input.svg:2:29: Unquoted attribute value

  1 | <svg viewBox="0 0 120 120">
> 2 |   <circle fill="#ff0000" cx=60.444444" cy="60" r="50"/>
    |                             ^
  3 | </svg>
  4 |

pefixIds plugin is now idempotent (#​1561)

To get better compression results SVGO uses multipass option. This option is used
to run prefixIds plugin only once to prefix ids and classes properly.

Though sometimes users run svgo manually a few times which leads to duplicated
prefixes and make code much bigger. To solves this prefixIds was redesigned
to add prefix only when it does not exit in ids and classes.

Eventually all plugins are planned to be determenistic and idempotent
so multipass option would not be necessary and single pass compression
could be as effective as possible.

New js2svg options (#​1546)

js2svg.eol: 'lf' | 'crlf'

Allows to customize end of line characters which is usually resolved by os.EOL in node.

finalNewline: boolean

Ensures SVG output has a final newline which is required for some tools like git.

Fixes and refactorings

Follwing plugins are migrated to the new visitor plugin api and covered with tsdoc

• reusePaths (#​1551)
• removeUselessStrokeAndFill (#​1549)
• minifyStyles (#​1552)
• cleanupIDs (#​1556)
• removeEditorsNSData (#​1557)
• removeUnusedNS (#​1559)
• prefixIds (#​1561)
• sortAttrs (#​1564)

Also fixed a few bugs

• add xmlns:xlink in reusePaths plugin when missing (#​1555)
• fixed removeNone param in removeUselessStrokeAndFill plugin (#​1549)

Thanks to @​XhmikosR, @​matheus1lva, @​deepsweet, @​omgovich, @​adalinesimonian and @​TrySound

v2.5.0

Compare Source

In this release we have a couple of fixes

• fixed removing transform-origin attribute (680e143)
• fixed applying transform to path arc with zero radius (ac8edba)

Visitor api now get parentNode in enter and exit callback

return {
  element: {
    enter: (node, parentNode) => {
    },
    exit: (node, parentNode) => {
    }
  }
}

And a lot of plugins are migrated to visitor api and covered them with tsdoc

• addAttributesToSVGElement
• addClassesToSVGElement
• cleanupAttrs
• cleanupEnableBackground
• cleanupListOfValues
• cleanupNumericValues
• convertColors
• convertEllipseToCircle
• convertShapeToPath
• convertTransform
• mergePaths
• removeAttributesBySelector
• removeAttrs
• removeComments
• removeDesc
• removeDoctype
• removeElementsByAttr
• removeEmptyText
• removeMetadata
• removeRasterImages
• removeScriptElement
• removeStyleElement
• removeTitle
• removeXMLProcInst
• removeHiddenElems
• removeViewBox
• removeUselessDefs
• removeOffCanvasPaths
• removeUnknownsAndDefaults
• sortDefsChildren

Thanks to @​XhmikosR, @​morganney, @​oBusk, @​matheus1lva and @​TrySound

v2.4.0

Compare Source

Hey everybody!

In this release I happy to introduce the new plugin "preset-default" which allows to declaratively setup and customize default set of plugins. Previous solution extendDefaultPlugins utility prevented parcel users from using cachable json config, svgo-loader and svgo-jsx required svgo to be installed locally. "preset-default" plugin is just another builtin plugi.

module.exports = {
  plugins: [
    {
      name: 'preset-default',
      params: {
        overrides: {
          // customize options
          builtinPluginName: {
            optionName: 'optionValue',
          },
          // or disable plugins
          anotherBuiltinPlugin: false,
        },
      },
    },
  ],
};

We also fixed a few bugs

• performance is improved by ~37% for svg with styles (#​1456)
• reset cursor after "closeto" command when applying transformation (9e578b5)
• fixed usage of removed internal methods (#​1479)
• chalk is replaced with smaller colorette (#​1511)
• test files are excluded from published package (#​1458)
• remove more spaces around flag in arc command #​1484

Thanks to @​TrySound, @​ydaniv, @​ludofischer, @​XhmikosR and @​joseprio

v2.3.1

Compare Source

Fixed vulnerability in css-select dependency (#​1485)

Thanks to @​ericcornelissen

v2.3.0

Compare Source

Hey, everybody! We have a big release here.

• The new plugin is added for merging style elements into one. See #​1381

Before:

<svg>
  <style media="print">
    .st0{ fill:red; padding-top: 1em; padding-right: 1em; padding-bottom: 1em; padding-left: 1em; }
  </style>
  <style>
    .test { background: red; }
  </style>
</svg>

After:

<svg>
  <style>
    @&#8203;media print{
      .st0{ fill:red; padding-top: 1em; padding-right: 1em; padding-bottom: 1em; padding-left: 1em; }
    }
    .test { background: red; }
  </style>
</svg>

• CLI got new --exclude flag which uses regexps to exclude some files from --folder. See #​1409

svgo --folder=svgs --exclude "invalid-icon" "bad-.+"

• Internal AST is migrated to XAST. This spec makes maintaining plugins easier and may be used as interop with other tools like SVGR.

• The new visitor plugin type combines features of "full", "perItem" and "perItemReverse" plugins without loosing simplicity. Eventually only visitor api will be supported. See #​1454

Also small fixes

• override default floatPrecision in plugins with globally specified one (7389bcd)
• fix rendering -0 in path data (3d4adb6)
• make browser bundle 30% smaller (2799622)
• simplified convertPathData plugin (a04b27a and 6165743)
• prepared for more regression tests (d89d36e)

Thanks to @​chambo-e, @​strarsis, @​XhmikosR, @​omgovich and @​TrySound

v2.2.2

Compare Source

• ignore keyframes in computeStyle (ddbd704)

v2.2.1

Compare Source

This is a big patch with new style computing (#​1399) and landed to master regression tests

A lot of bugs are fixed

• fixed scientific notation parsing in paths (d6f972c)
• forbade invalid <style> type attribute in inlineStyles plugin (#​1400)
• fixed <style> support in removeHiddenElems plugin (#​1399)
• fixed noSpaceAfterFlags option support (0e02fd9)
• fixed floatPrecision when extending default plugins (d58a7e6)
• fixed <style> support when removing useless path commands (c21fef5)
• fixed <style> support when combining path commands (ba7e9bd)
• prevent removing filter primitive defaults (555a961)
• prevent merging paths with markers (de4fd79)
• prevent removing single point paths with markers (21c04e4)
• keep empty <pattern> when at least one argument is present (0e6b0c4)
• keep <marker> with display none (d3e3726)
• preserve empty conditional processing attributes (a2b0e73)
• preserve viewBox in nested <svg> (28c01cf)

435 of 526 regression tests are passing

Thanks to @​XhmikosR @​sk- and @​TrySound

v2.2.0

Compare Source

Wow, two minor releases in a row. There is a big reason for that. We got a new logo! See it in readme. Big thanks to @​DerianAndre.

There were also implemented brand new path data parser and stringifier (#​1378 and #​1387) to do more reliable transformations and produce smaller svg.

A cup of small fixes

• fixed optimisation when stroke-linecap=round is specified (7901588)
• prevented transform applying when inline style is present (79dbb4b)
• apply transform to stroke-dasharray and stroke-dashoffset (dd37fcf)
• fixed removing hidden elements when descendant enables visibility (d06747a)
• fixed removing elements with zero opacity inside clipPath (9d67586)
• fixed removing empty mask which can hide elements by id (d14315b)
• fixed removing stroke-width when marker-end is specified (3639156)
• fixed <tspan> inside <a> (091172a)

Thanks to @​sk- @​XhmikosR @​deepsweet and @​TrySound

v2.1.0

Compare Source

This release introduced two big changes

• we forked sax parser to fix issues inaccessible from public api (https://github.com/svg/sax)
• we added regression tests which already caught 4 bugs (WIP)

See fixed bugs

• fixed empty <svg /> with enabled cleanupIDs plugin (9b97e06)
• fail when file specified in --config flag does not exist or json string is specified (a855b40)
• disabled convertStyleToAttrs by default (#​1365)
• preserve whitespace in elements containing text (#​1220)
• fixed removing xml:space="preserve" (776ec1e)
• preserve whitespace in nested textual elements (9de471a)
• keep empty <g> when filter attribute is specified (c1d5f0f)
• fixed parsing xml entities (#​1371 isaacs/sax-js#200)

Thanks to @​XhmikosR @​sk- @​chromakode @​devongovett and @​TrySound

v2.0.3

Compare Source

• reduced browser build size 1450kB -> 820kB (82778c8)
• fixed adding empty <defs> by reusePaths plugin (#​1201)
• fixed reporting parsing errors (ea82cc2)
• fixed convertEllipseToCircle plugin when rx or ry attributes are not specified (7f4e052)
• fixed removing mask-type on <mask> (4490d62)
• fixed removing elements when class is empty in removeElementsByAttr plugin (d9f68d3)
• disable removing spaces in <path> by default to support many broken non-browser environments (#​1353)
• fixed error message in addAttributesToSVGElement plugin (c1edce4)

Thanks to @​ChrisRu @​XhmikosR @​yisibl @​TrySound

v2.0.2

Compare Source

• added better docs (#​1337)
• removed unsafe usage of Buffer constructor (#​1341)
• fixed incorrect regexp in convertStyleToAttrs plugin (#​1338)
• fixed swallowing errors in config files (#​1342)

Thanks to @​XhmikosR and @​TrySound

v2.0.1

Compare Source

• fixed path intersection in mergePaths plugin (#​1229)
• fixed --indent flag in CLI (#​1331)
• fixed multipass option (#​1332, #​1177)
• fixed plugins order (#​1334)
• detect .svg files in folder case-insensitively (#​1316)

Thanks to @​sk- @​Brooooooklyn @​strarsis @​AlpayY @​TrySound

v2.0.0

Compare Source

Happy to introduce SVGO 2.0. Package size was drastically reduced. Configuration
is heavily simplified. Node 10.13+ is required.

• smaller install size
• simplified config format
• added browser ready es module bundle
• API is synchronous
• support only svgo.config.js for external configuration

Config changes

Since early versions plugins configuration was affected by yaml syntax.
Though it was not practial in json or javascript for writing and for internal
work.

plugins:
    - removeViewBox: true
    - removeAttr:
        attrs: '(fill|stroke)'

{
  plugins: [
    {
      removeViewBox: true
    },
    {
      removeAttr: {
        attrs: '(fill|stroke)'
      }
    }
  ]
}

In the new version plugins configuration is closer to internal representation.

{
  plugins: [
    {
      name: 'removeViewBox'
    },
    {
      name: 'removeAttr',
      params: {
        attrs: '(fill|stroke)'
      }
    }
  ]
}

In v1 full flag allowed to disable all default plugins and run only specified
in plugins list. In v2 it's default behaviour. To extend default plugins list
you can use extendDefaultPlugins utility.

{
  plugins: extendDefaultPlugins([
    {
      name: 'removeViewBox',
      active: false,
    }
  ])
}

Loading custom plugin by path was removed in favour of manual import or require.

+const customPlugin = require('./custom-plugin.js')
 {
   plugins: [
     {
       name: 'customPlugin',
-      path: './custom-plugin.js'
+      ...customPlugin
     }
   ]
 }

CLI changes

Painful coa was replaced with well maintained commander.

--enable and --disable flags are removed. In later versions we will explore
plugins setup via CLI.

Inlined json config is no longer suppored. CLI flags should be used instead.

--config="{multipass:true}"

By default SVGO CLI will search for svgo.config.js. --config flag allows
to specify js config with any name.

YAML and JSON configuration is no longer supported for the sake of simplicity
and less dependencies.

Node API changes

Initially SVGO was implemented with callback style api to fit sax recommendation.
Though in practice api was synchronous and allowed to access the result assigned
in callback right after optimisation.

For v1 callback style was replaced with promise api which cannot longer be run
synchronously. This was a pain point for many tools and required hacking svgo.

In v2 this pain is considered and api is now synchronous. No hacks necessary.

SVGO class is replaced with optimize function.

-const { SVGO } = require('svgo')
-const svgo = new SVGO({
-  // config
-  multipass: true
-})
-svgo.optimize(svgstring, { path: './file.svg' }).then(result => {
-  ...
-})
+const { optimize, extendDefaultPlugins } = require('svgo')
+optimize(svgstring, {
+  path: './file.svg',
+  multipass: true,
+})

Some tools require the same logic for resolving svgo config as SVGO CLI.

const { loadConfig, optimize } = require('svgo')
...
const config = await loadConfig()
optimize(svgstring, { path: './file.svg', ...config })

Browser ready bundle

There were a lot of request for this feature in the past.
Now tools like svgomg may use official and tested es module for browsers with optimize, extendDefaultPlugins and createContentItem support.

import {
  optimize,
  extendDefaultPlugins,
  createContentItem
} from 'svgo/dist/svgo.browser.js'

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate using a curated preset maintained by . View repository job log here

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
react-spring-bottom-sheet	Error		Mar 30, 2026 5:43pm

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	svgo@​1.3.2 ⏵ 2.8.2				+45	+20

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm buffer is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: package-lock.json → npm/next@10.2.3 → npm/buffer@4.9.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/buffer@4.9.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report