Bump svgo to 3.3.3 to address CVE-2026-29074 (#1920)#1920
Closed
rozele wants to merge 1 commit into
Closed
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
meta-codesync
Bot
changed the title
rozele
added a commit
to rozele/yoga
that referenced
this pull request
Mar 16, 2026
Summary: Adds a Yarn resolution to pin `svgo` to version `3.3.3` across all transitive dependencies in the Yoga package. This addresses CVE-2026-29074 (GHSA-xpqw-6gx7-v673) by upgrading from `3.3.2` to the patched version. The fix is minimal and safe — no code changes, just a version bump of a transitive dependency used by `svgr/plugin-svgo` and `postcss-svgo`. --- AI generated Summary & Test Plan from DEV112213693 Reviewed By: NickGerleman Differential Revision: D96742846
rozele
force-pushed
the
export-D96742846
branch
from
80dbc46 to
83e8e0f
Compare
rozele
added a commit
to rozele/yoga
that referenced
this pull request
Mar 16, 2026
Summary: Pull Request resolved: react#1920 Adds a Yarn resolution to pin `svgo` to version `3.3.3` across all transitive dependencies in the Yoga package. This addresses CVE-2026-29074 (GHSA-xpqw-6gx7-v673) by upgrading from `3.3.2` to the patched version. The fix is minimal and safe — no code changes, just a version bump of a transitive dependency used by `svgr/plugin-svgo` and `postcss-svgo`. --- AI generated Summary & Test Plan from DEV112213693 Reviewed By: NickGerleman Differential Revision: D96742846
rozele
force-pushed
the
export-D96742846
branch
from
83e8e0f to
4c3683b
Compare
Summary: Adds a Yarn resolution to pin `svgo` to version `3.3.3` across all transitive dependencies in the Yoga package. This addresses CVE-2026-29074 (GHSA-xpqw-6gx7-v673) by upgrading from `3.3.2` to the patched version. The fix is minimal and safe — no code changes, just a version bump of a transitive dependency used by `svgr/plugin-svgo` and `postcss-svgo`. --- AI generated Summary & Test Plan from DEV112213693 Reviewed By: NickGerleman Differential Revision: D96742846
rozele
force-pushed
the
export-D96742846
branch
from
4c3683b to
13fff17
Compare
|
This pull request has been merged in 0a2398d. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary:
Adds a Yarn resolution to pin
svgoto version3.3.3across all transitive dependencies in the Yoga package. This addresses CVE-2026-29074 (GHSA-xpqw-6gx7-v673) by upgrading from3.3.2to the patched version. The fix is minimal and safe — no code changes, just a version bump of a transitive dependency used bysvgr/plugin-svgoandpostcss-svgo.AI generated Summary & Test Plan from DEV112213693
Reviewed By: NickGerleman
Differential Revision: D96742846