From ebc5779dc57e07ddfe2a6ba990b3aed4224cb80b Mon Sep 17 00:00:00 2001
From: Seth Falco <seth@falco.fun>
Date: Tue, 11 Jun 2024 22:13:31 +0100
Subject: [PATCH] deps: upgrade to svgo@v4.0.0

---
 package.json        |   4 +-
 pnpm-lock.yaml      |  34 +++++------
 src/ipx.ts          |   7 +--
 src/lib/svgo-xss.ts | 133 --------------------------------------------
 4 files changed, 22 insertions(+), 156 deletions(-)
 delete mode 100644 src/lib/svgo-xss.ts

diff --git a/package.json b/package.json
index ee38859..e668b6f 100644
--- a/package.json
+++ b/package.json
@@ -49,7 +49,7 @@
     "ofetch": "^1.3.3",
     "pathe": "^1.1.1",
     "sharp": "^0.32.6",
-    "svgo": "^3.0.2",
+    "svgo": "^4.0.0-rc.0",
     "ufo": "^1.3.1",
     "unstorage": "^1.9.0",
     "xss": "^1.0.14"
@@ -69,4 +69,4 @@
     "vitest": "^0.34.6"
   },
   "packageManager": "pnpm@8.10.2"
-}
\ No newline at end of file
+}
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 9e21877..399bf58 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -42,8 +42,8 @@ dependencies:
     specifier: ^0.32.6
     version: 0.32.6
   svgo:
-    specifier: ^3.0.2
-    version: 3.0.2
+    specifier: ^4.0.0-rc.0
+    version: 4.0.0-rc.0
   ufo:
     specifier: ^1.3.1
     version: 1.3.1
@@ -1070,11 +1070,6 @@ packages:
     resolution: {integrity: sha512-+Fj43pSMwJs4KRrH/938Uf+uAELIgVBmQzg/q1YG10djyfA3TnrU8N8XzqCh/okZdszqBQTZf96idMfE5lnwTA==}
     dev: true
 
-  /@trysound/sax@0.2.0:
-    resolution: {integrity: sha512-L7z9BgrNEcYyUYtF+HaEfiS5ebkh9jXqbszz7pC0hRBPaatV0XjSD3+eHrpqFemQfgwiFF0QPIarnIihIDn7OA==}
-    engines: {node: '>=10.13.0'}
-    dev: false
-
   /@types/chai-subset@1.3.4:
     resolution: {integrity: sha512-CCWNXrJYSUIojZ1149ksLl3AN9cmZ5djf+yUoVVV+NuYrtydItQVlL2ZDqyC6M6O9LWRnVf8yYDxbXHO2TfQZg==}
     dependencies:
@@ -1773,13 +1768,13 @@ packages:
     resolution: {integrity: sha512-IfEDxwoWIjkeXL1eXcDiow4UbKjhLdq6/EuSVR9GMN7KVH3r9gQ83e73hsz1Nd1T3ijd5xv1wcWRYO+D6kCI2w==}
     dev: true
 
-  /commander@2.20.3:
-    resolution: {integrity: sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==}
+  /commander@11.1.0:
+    resolution: {integrity: sha512-yPVavfyCcRhmorC7rWlkHn15b4wDVgVmBA7kV4QVBsF7kv/9TKJAbAXVTxvTnwP8HHKjRCJDClKbciiYS7p0DQ==}
+    engines: {node: '>=16'}
     dev: false
 
-  /commander@7.2.0:
-    resolution: {integrity: sha512-QrWXB+ZQSVPmIWIhtEO9H+gwHaMGYiF5ChvoJ+K9ZGHG/sVsa6yiesAD1GC/x46sET00Xlwo1u49RVVVzvcSkw==}
-    engines: {node: '>= 10'}
+  /commander@2.20.3:
+    resolution: {integrity: sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==}
     dev: false
 
   /commondir@1.0.1:
@@ -4212,6 +4207,10 @@ packages:
       regexp-tree: 0.1.27
     dev: true
 
+  /sax@1.4.1:
+    resolution: {integrity: sha512-+aWOz7yVScEGoKNd4PA10LZ8sk0A/z5+nXQG5giUO5rprX9jgYsTdov9qCchZiPIZezbZH+jRut8nPodFAX4Jg==}
+    dev: false
+
   /scule@1.0.0:
     resolution: {integrity: sha512-4AsO/FrViE/iDNEPaAQlb77tf0csuq27EsVpy6ett584EcRTp6pTDLoGWVxCD77y5iU5FauOvhsI4o1APwPoSQ==}
     dev: true
@@ -4482,17 +4481,18 @@ packages:
     engines: {node: '>= 0.4'}
     dev: true
 
-  /svgo@3.0.2:
-    resolution: {integrity: sha512-Z706C1U2pb1+JGP48fbazf3KxHrWOsLme6Rv7imFBn5EnuanDW1GPaA/P1/dvObE670JDePC3mnj0k0B7P0jjQ==}
-    engines: {node: '>=14.0.0'}
+  /svgo@4.0.0-rc.0:
+    resolution: {integrity: sha512-V6DFAkoKXl9GFPZPKNDcJpeXQtMhJT3mgt0VIJTuTe89Ih4ZMtlVR/Djxm0WZX1+9TC7srNhQG6Ffs7EcB4T7Q==}
+    engines: {node: '>=16.0.0'}
     hasBin: true
     dependencies:
-      '@trysound/sax': 0.2.0
-      commander: 7.2.0
+      commander: 11.1.0
       css-select: 5.1.0
       css-tree: 2.3.1
+      css-what: 6.1.0
       csso: 5.0.5
       picocolors: 1.0.0
+      sax: 1.4.1
     dev: false
 
   /tapable@2.2.1:
diff --git a/src/ipx.ts b/src/ipx.ts
index 2e69036..0f0b77f 100644
--- a/src/ipx.ts
+++ b/src/ipx.ts
@@ -73,8 +73,7 @@ export function createIPX(userOptions: IPXOptions): IPX {
 
   const getSVGO = cachedPromise(async () => {
     const { optimize } = await import("svgo");
-    const { xss } = await import("./lib/svgo-xss");
-    return { optimize, xss };
+    return { optimize };
   });
 
   return function ipx(id, modifiers = {}, opts = {}) {
@@ -176,10 +175,10 @@ export function createIPX(userOptions: IPXOptions): IPX {
           };
         } else {
           // https://github.com/svg/svgo
-          const { optimize, xss } = await getSVGO();
+          const { optimize } = await getSVGO();
           const svg = optimize(sourceData.toString("utf8"), {
             ...options.svgo,
-            plugins: [xss, ...(options.svgo?.plugins || [])],
+            plugins: ["removeScripts", ...(options.svgo?.plugins || [])],
           }).data;
           return {
             data: svg,
diff --git a/src/lib/svgo-xss.ts b/src/lib/svgo-xss.ts
deleted file mode 100644
index ad35287..0000000
--- a/src/lib/svgo-xss.ts
+++ /dev/null
@@ -1,133 +0,0 @@
-import type { CustomPlugin } from "svgo";
-
-/**
- * Remove possible XSS attacks.
- *
- * * Remove <script> elements.
- * * Removes known event attributes.
- * * Removes JavaScript URIs.
- *
- * @author Katya Pavlenko (@cakeinpanic)
- *
- * Based on https://github.com/svg/svgo/blob/main/plugins/removeScriptElement.js
- */
-export const xss = {
-  name: "removeXSS",
-  fn() {
-    return {
-      element: {
-        enter: (node, parentNode) => {
-          if (node.name === "script") {
-            // Avoid splice to not break for loops
-            parentNode.children = parentNode.children.filter(
-              (child) => child !== node,
-            );
-            return;
-          }
-          for (const event of ALL_EVENTS) {
-            if (node.attributes[event] != null) {
-              delete node.attributes[event];
-            }
-          }
-        },
-        exit: (node, parentNode) => {
-          if (node.name !== "a") {
-            return;
-          }
-
-          for (const attr of Object.keys(node.attributes)) {
-            if (attr === "href" || attr.endsWith(":href")) {
-              if (
-                node.attributes[attr] == null ||
-                !node.attributes[attr].trimStart().startsWith("javascript:")
-              ) {
-                continue;
-              }
-
-              const index = parentNode.children.indexOf(node);
-              parentNode.children.splice(index, 1, ...node.children);
-
-              for (const child of node.children) {
-                Object.defineProperty(child, "parentNode", {
-                  writable: true,
-                  value: parentNode,
-                });
-              }
-            }
-          }
-        },
-      },
-    };
-  },
-} satisfies CustomPlugin;
-
-const ALL_EVENTS = [
-  "onabort",
-  "onactivate",
-  "onbegin",
-  "oncancel",
-  "oncanplay",
-  "oncanplaythrough",
-  "onchange",
-  "onclick",
-  "onclose",
-  "oncopy",
-  "oncuechange",
-  "oncut",
-  "ondblclick",
-  "ondrag",
-  "ondragend",
-  "ondragenter",
-  "ondragleave",
-  "ondragover",
-  "ondragstart",
-  "ondrop",
-  "ondurationchange",
-  "onemptied",
-  "onend",
-  "onended",
-  "onerror",
-  "onfocus",
-  "onfocusin",
-  "onfocusout",
-  "oninput",
-  "oninvalid",
-  "onkeydown",
-  "onkeypress",
-  "onkeyup",
-  "onload",
-  "onloadeddata",
-  "onloadedmetadata",
-  "onloadstart",
-  "onmousedown",
-  "onmouseenter",
-  "onmouseleave",
-  "onmousemove",
-  "onmouseout",
-  "onmouseover",
-  "onmouseup",
-  "onmousewheel",
-  "onpaste",
-  "onpause",
-  "onplay",
-  "onplaying",
-  "onprogress",
-  "onratechange",
-  "onrepeat",
-  "onreset",
-  "onresize",
-  "onscroll",
-  "onseeked",
-  "onseeking",
-  "onselect",
-  "onshow",
-  "onstalled",
-  "onsubmit",
-  "onsuspend",
-  "ontimeupdate",
-  "ontoggle",
-  "onunload",
-  "onvolumechange",
-  "onwaiting",
-  "onzoom",
-];