Update dependency svgo to v3.3.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
svgo (source)	3.2.0 → 3.3.3

GitHub Vulnerability Alerts

CVE-2026-29074

Summary

SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory.

Details

The upstream XML parser (sax) doesn't interpret custom XML entities by default. We pattern matched custom XML entities from the DOCTYPE, inserting them into parser.ENTITIES, and enabled unparsedEntities. This gives us the desired behavior of supporting SVGs with entities declared in the DOCTYPE.

However, entities can reference other entities, which can enable small SVGs to explode exponentially when we try to parse them.

Proof of Concept

import { optimize } from 'svgo';

/** Presume that this string was obtained in some other way, such as network. */
const original = `
  <?xml version="1.0"?>
  <!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ELEMENT lolz (#PCDATA)>
  <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
  ]>
  <lolz>&lol9;</lolz>
`;

optimize(original);

Impact

If SVGO is run on untrusted input (i.e., user uploaded to server-side application), then the untrusted SVG can effectively stall or crash the application with an SVG < 1 KB in size.

It's unlikely to impact users who just use SVGO locally on their own SVGs or in build pipelines.

Patches

SVGO has patched v4.0.1, v3.3.3, and v2.8.1! However, it's strongly recommended to upgrade to v4 regardless, as previous versions are not officially supported anymore.

Workarounds

== 4.0.0

For v4, users do not specifically have to upgrade SVGO, though it is recommended to do so. A package manager can be used to upgrade sax recursively:

For example:

yarn up -R sax

New options were introduced upstream which makes the way SVGO parses SVGs safe by default.

>= 2.1.0, <= 3.3.2

Users of v3 and v2 will have to take manual action. If users can't upgrade, they may be able to work around this as long as the project doesn't require support for custom XML entities, though it's not a simple flag.

Parse the DOCTYPE directly and check for the presence of custom entities. If entities are present, throw/escape before passing them to SVGO.

+ import SAX from 'sax';
  import { optimize } from 'svgo';

- const original =`
+ let original = `
    <?xml version="1.0"?>
    <!DOCTYPE lolz [
    <!ENTITY lol "lol">
    <!ELEMENT lolz (#PCDATA)>
    <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
    <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
    <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
    <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
    <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
    <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
    <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
    <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
    <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
    ]>
    <lolz>&lol9;</lolz>
  `;

+ const parser = SAX.parser();
+ /** @&#8203;param {string} doctype */
+ parser.ondoctype = (doctype) => {
+   original = original.replace(doctype, '');
+ }
+ parser.write(original);

  optimize(original);

Resources

• Wikipedia: Billion laughs attack

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

---

Release Notes

svg/svgo (svgo)

v3.3.3

Compare Source

What's Changed

Dependencies

• Migrates from our unsupported fork of sax (@​trysound/sax) to the upstream version of sax (sax).

Bug Fixes

• No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

	v3.3.2	v3.3.3	Delta
svgo.browser.js	910.9 kB	912.9 kB	⬆️ 2 kB

Support

SVGO v3 is not officially supported, please consider upgrading to SVGO v4 instead. We've backported this fix as there are security implications, but there is no commitment to do this for more complex changes in future.

Consider reading our Migration Guide from v3 to v4 which should ease the process.

v3.3.2

Compare Source

Notice

An update on what happened with v3.3.0 and v3.3.1. While we have retained CJS support, the migration to ESM has changed the acceptable ways to import SVGO, in ways that users depended on before. This effectively made SVGO v3 a breaking change.

Rather than resolve or workaround these differences, we've opted to release SVGO v3.3.2, which is effectively a revert to v3.2.0, and deprecate versions v3.3.0 and v3.3.1. We'll then proceed to work on releasing v4 which will document the breaking changes, and feature further breaking changes that were slated for v4, like disabling removeViewBox by default.

Before the v4.0.0 release, I'll put more focus on testing and use release candidates, just to make the release go smoothly! 👍🏽

Sorry for the headache, and thank you for your patience.

v3.3.1

Compare Source

Notice

SVGO v3.3.0, which was meant to migrate to ESM without breaking CJS support, unfortunately broke CJS projects. There was a mistake with exports, so the loadConfig function wasn't available in the CJS bundle and lead to issues for many users.

Thanks to everyone who raised the issue, and to @​nuintun who submitted a pull request to resolve it so quickly.

I apologize for letting that breaking change through, and will aim to do better. Namely, by adding more tests to cover our exports, and any other public interface in general for each distribution of SVGO, so this doesn't happen again.

SVGO v3.3.1 should resolve the issue for CJS projects, but if you encounter anything else, do let us know by opening an issue on GitHub.

v3.3.0

Compare Source

Deprecated

This release introduced breaking changes, which have been reverted in v3.3.2. The bug fixes will be reintroduced in v4.0.0.

What's Changed

ESM

SVGO is now a dual package, serving for both Common JS and ESM usage. We believe there shouldn't be any problems, especially as SVGO as largely stateless, but feel free to open an issue if you encounter problems with this.

To be explicit, this is not a breaking change, and SVGO should continue to work in Common JS projects!

Thanks to @​jdufresne for doing the bulk of the work.

Default Behavior

• convertColors, now converts all references to colors excluding references to IDs to lowercase. This can be disabled by setting convertCase to false.

Bug Fixes

• cleanupIds, treat both URI encoded and non-URI encoded IDs as the same. By @​liuweifeng in #​1982
• collapseGroups, check styles as well as attributes. By @​johnkenny54 in #​1952
• collapseGroups, move attributes atomically. By @​johnkenny54 in #​1930
• convertPathData, fix q control point when item is removed. By @​KTibow in #​1927
• convertPathData, preserve vertex for markers only paths. By @​SethFalco in #​1967
• mergePaths, don't merge paths if attributes/styles depend on the node's bounding box. By @​johnkenny54 in #​1964
• moveElemsAttrsToGroups, no longer moves the transforms if group has the filter attribute. By @​johnkenny54 in #​1933
• prefixIds, fixed issue where some IDs were not prefixed when style tag contained XML comments. By @​john-neptune in #​1942
• removeHiddenElems, don't remove node if child element has a referenced ID. By @​johnkenny54 in #​1925
• removeHiddenElems, treat path[opacity=0] as a non-rendering node. By @​johnkenny54 in #​1948
• removeUselessDefs, don't remove node if child element has an ID. By @​johnkenny54 in #​1923
• When stringifying path data, include a space before numbers represented in scientific notation. By @​johnkenny54 in #​1961
• No longer crashes when the output (-o argument) ends with a trailing slash to a location that didn't exist. By @​SethFalco in #​1954

SVG Optimization

• convertColors, introduce parameter to convert colors to common casing (lowercase/uppercase). By @​JayLeininger in #​1692
• removeDeprecatedAttrs, new plugin that is disabled by default to remove SVG attributes that are deprecated. By @​jdufresne in #​1869

Metrics

Before and after using vectors from various sources, with the default preset of each respective version:

SVG	Original	v3.2.0	v3.3.0	Delta
Arch Linux Logo	9.529 KiB	4.115 KiB	4.097 KiB	⬇️ 0.018 KiB
Blobs	50.45 KiB	42.623 KiB	42.609 KiB	⬇️ 0.014 KiB
Isometric Madness	869.034 KiB	540.582 KiB	540.073 KiB	⬇️ 0.509 KiB
tldr-pages Banner	2.071 KiB	1.07 KiB	1.07 KiB
Wikipedia Logo	161.551 KiB	111.668 KiB	111.668 KiB

Before and after of the browser bundle of each respective version:

	v3.2.0	v3.3.0	Delta
svgo.browser.js	910.9 kB	753.0 kB	⬇️ 157.9 kB

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.