(svg-transform-loader) Dependency causing deprecation warnings

[mizziness]

warning svg-transform-loader > svg-mixer-utils > anymatch > micromatch > snapdragon > source-map-resolve > [email protected]: https://github.com/lydell/resolve-url#deprecated
warning svg-transform-loader > svg-mixer-utils > anymatch > micromatch > snapdragon > source-map-resolve > [email protected]: Please see https://github.com/lydell/urix#deprecated

"dependencies": {
    "@streamlinehq/streamlinehq": "^2.1.0",
    "browser-cookies": "^1.2.0",
    "delicious-hamburgers": "^1.1.0",
    "jquery": "3.6.0",
    "jquery-validation": "^1.19.3",
    "lazysizes": "^5.3.2",
    "regenerator-runtime": "^0.13.7",
    "tailwindcss": "^2.1.2",
    "tailwindcss-rtl": "^0.7.3",
    "tailwindcss-tooltip-arrow-after": "^1.0.0"
  },
  "devDependencies": {
    "@babel/core": "^7.14.0",
    "@babel/plugin-proposal-class-properties": "^7.13.0",
    "@babel/plugin-transform-runtime": "^7.13.15",
    "@babel/preset-env": "^7.14.1",
    "@babel/runtime-corejs3": "^7.14.0",
    "autoprefixer": "^10.2.5",
    "babel-loader": "^8.2.2",
    "clean-webpack-plugin": "^3.0.0",
    "copy-webpack-plugin": "^8.1.1",
    "core-js": "^3.11.2",
    "cross-env": "^7.0.2",
    "css-loader": "^5.0.0",
    "css-minimizer-webpack-plugin": "^2.0.0",
    "dotenv": "^8.2.0",
    "expose-loader": "^2.0.0",
    "fibers": "^5.0.0",
    "html-webpack-plugin": "^5.0.0-alpha.7",
    "mini-css-extract-plugin": "^1.3.9",
    "postcss": "^8.1.14",
    "postcss-import": "^14.0.1",
    "postcss-loader": "^5.2.0",
    "postcss-preset-env": "^6.7.0",
    "sass": "^1.32.11",
    "sass-loader": "^11.0.1",
    "style-loader": "^2.0.0",
    "svg-transform-loader": "^2.0.13",
    "svg-url-loader": "^7.1.1",
    "terser-webpack-plugin": "^5.1.1",
    "webpack": "^5.35.0",
    "webpack-bundle-analyzer": "^4.4.1",
    "webpack-cli": "^4.0.0",
    "webpack-dev-server": "^v4.0.0-beta.2",
    "webpack-manifest-plugin": "^3.0.0",
    "webpack-merge": "^5.2.0",
    "webpackbar": "^5.0.0-3"
  },

[mizziness]

This should be escalated as it's now got a security alert as well:

yarn audit v1.22.10
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Hostname spoofing via backslashes in URL                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ urijs                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.19.7                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ svg-transform-loader                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ svg-transform-loader > svg-mixer-utils > postcss-helpers >   │
│               │ urijs                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1766                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 1068
Severity: 1 Moderate

[felixranesberger]

Is there any update on the current situation?
We're using a third party Vite extension, which depends on this package.

https://www.npmjs.com/package/vite-plugin-svg-icons

[wajdar]

I bump up the question. I found that the postcss-helpers library -> yarn.lock has an old version of urijs (1.18.12). One workaround at the moment is iAdramelk/postcss-helpers#7 (comment). But in my opinion this is not the best solution.