Project

General

Profile

Actions
Copy link

Bug #96901

closed

Upgrade enshrined/svg-sanitize to ^0.15

Added by Kevin Lange over 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2022-02-15
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
10
PHP Version:
7.4
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Currently roave/security-advisories prevents typo3 10.4.x from installing/upgrading due to a dependency on enshrined/svg-sanitize with a security vulnerability.

 - typo3/cms-core[v10.4.20, v10.4.21, v10.4.22, v10.4.23, v10.4.24, 10.4.x-dev] require enshrined/svg-sanitize ^0.14.1 -> satisfiable by enshrined/svg-sanitize[0.14.1].
.....
   - roave/security-advisories dev-latest conflicts with enshrined/svg-sanitize 0.14.1.

Possible solution:
Upgrade enshrined/svg-sanitize to 0.15.x

Further Information:
https://packagist.org/packages/enshrined/svg-sanitize links to https://github.com/darylldoyle/svg-sanitizer which contains an open issue (https://github.com/darylldoyle/svg-sanitizer/issues/71) regarding CVE-2022-23638 (https://nvd.nist.gov/vuln/detail/CVE-2022-23638)

Roave/SecurityAdvisories updated their constraints in a recent update:
https://github.com/Roave/SecurityAdvisories/commit/1032f0ce78ed92e983c17697eafd202ac5cbbca4

Related issues 3 (0 open3 closed)

Related to TYPO3 Core - Task #100233: Upgrade enshrined/svg-sanitize to ^0.16Rejected2023-03-20

Actions
Has duplicate TYPO3 Core - Task #96902: Upgrade enshrined/svg-sanitize to ^0.15.0Closed2022-02-15

Actions
Has duplicate TYPO3 Core - Bug #96990: Update enshrined/svg-sanitize to v0.15.0ClosedOliver Hader2022-02-22

Actions
Actions
Copy link

Also available in: Atom PDF