Bump svgo from 4.0.0 to 4.0.1 in the npm_and_yarn group across 1 directory

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: svgo.

Updates svgo from 4.0.0 to 4.0.1

Release notes

Sourced from svgo's releases.

v4.0.1

What's Changed

Dependencies

• Sets minimum version of sax (XML parser) to v1.5.0, which improves built-in guards against entity expansion.

Bug Fixes

• removeEmptyContainers, removed leftover <use> elements referencing an empty container that were removed. By @​johnkenny54 in svg/svgo#2051
• removeUnknownsAndDefaults, don't remove attributes if they're referenced in attribute selectors (CSS). By @​SethFalco in svg/svgo#2144

Performance

• convertPathData, refactor to reduce redundant equality checks. By @​Lorfdail in svg/svgo#1764 and svg/svgo#2135
• removeHiddenElems, compute styles lazily. By @​Lorfdail in svg/svgo#1764 and svg/svgo#2135

Other Changes

• Plugins no longer include if they are enabled or disabled by default, as this was written inconsistently. The --show-plugins argument appends the presets a plugin is in to the end of the line. By @​viralcodex in svg/svgo#2174
• Plugin/preset types to enforce the name start with preset- if it is a preset (collection of plugins). By @​SethFalco in svg/svgo#2178

Metrics

Before and after of the browser bundle of each respective version:

	v4.0.0	v4.0.1	Delta
svgo.browser.js	780.2 kB	781.5 kB	⬆️ 1.3 kB

Commits

• e691f5f Merge commit from fork
• b1d9f1a chore(deps): bump actions/upload-artifact from 6 to 7 (#2202)
• d724af1 chore(deps): bump actions/checkout from 5 to 6 (#2195)
• 4114b32 chore(deps): bump actions/upload-artifact from 4 to 6 (#2196)
• c06d8f6 chore: upgrade js-yaml and glob (#2191)
• 26e86e5 fix: remove unused <use> elements when deleting empty symbols (#2051)
• 50c326b perf: optimiztions to reduce regression test runtime (#2135)
• 1f33cbe ci: separate regression tests and write delta report (#2190)
• 79a2167 ci: save test reports to artifacts (#2189)
• 0ae52a0 chore(deps): bump actions/setup-node from 5 to 6 (#2187)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[greptile-apps]

Greptile Summary

This is a Dependabot patch bump of the svgo dev-dependency from 4.0.0 to 4.0.1, whose primary security benefit is upgrading sax (the XML parser used by svgo) from v1.4.3 to v1.6.0, which hardens against XML entity-expansion (XXE-style) attacks. The lockfile also cascades a broader set of transitive dependency updates (css-tree, eslint-import-resolver-node, resolve, minimatch, es-abstract, etc.) that were picked up when pnpm re-resolved the dependency graph.

Key points from the review:

• Security win: sax is bumped past v1.5.0, directly addressing the stated motivation for this release.
• basic-ftp@5.0.5 deprecation notice: The regenerated lockfile now surfaces a pre-existing deprecation warning for basic-ftp@5.0.5, noting a security vulnerability fixed in v5.2.0. This is unrelated to svgo but should be tracked in a follow-up issue.
• @types/react-dom@18.3.1 peer resolution change: The snapshot for @types/react-dom@18.3.1 now resolves its @types/react peer to v19.0.12 (was 18.3.1). Running pnpm tsc --noEmit after merging is advisable to confirm no type regressions were introduced.
• Broader-than-expected lockfile diff: Several packages beyond svgo itself were re-resolved (e.g., eslint-import-resolver-node, resolve, minimatch). Each individual change appears to be a non-breaking patch or pre-release bump, but the combined surface area is wider than the PR description implies.

Confidence Score: 4/5

• Safe to merge with a minor follow-up recommended for the basic-ftp deprecation and a TypeScript type-check verification.
• The core change (svgo 4.0.0 to 4.0.1) is a well-motivated patch with a clear security benefit in the sax upgrade. All other transitive bumps are patch-level. The only items worth attention — the basic-ftp deprecation and the @types/react peer resolution shift — are non-blocking and can be handled as follow-up work.
• pnpm-lock.yaml — particularly the basic-ftp deprecation notice and the @types/react-dom@18.3.1 snapshot peer resolution change.

Important Files Changed

Filename	Overview
package.json	Bumps svgo dev-dependency specifier from ^4.0.0 to ^4.0.1 — minimal, straightforward change.
pnpm-lock.yaml	Lockfile updated for svgo 4.0.1 and its direct deps (sax 1.4.3→1.6.0, css-tree 3.1.0→3.2.1); also cascades additional transitive bumps (eslint-import-resolver-node, resolve, minimatch, es-abstract, etc.) and exposes a pre-existing basic-ftp security deprecation notice.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["svgo 4.0.0 to 4.0.1"] --> B["sax 1.4.3 to 1.6.0\nXML entity-expansion fix"]
    A --> C["css-tree 3.1.0 to 3.2.1"]
    A --> D["mdn-data 2.12.2 to 2.27.1"]
    E["eslint-import-resolver-node 0.3.9 to 0.3.10"] --> F["resolve 1.22.11 to 2.0.0-next.6"]
    F --> G["node-exports-info 1.6.0 added"]
    E --> H["minimatch 3.1.2 to 3.1.5"]
    H --> I["brace-expansion 1.1.12 to 1.1.13"]
    J["es-abstract 1.24.0 to 1.24.1"] --> K["which-typed-array 1.1.19 to 1.1.20"]
    L["basic-ftp 5.0.5"] --> M["WARNING: deprecated, vuln fixed in 5.2.0"]

Loading

_{Reviews (1): Last reviewed commit: "Bump svgo in the npm_and_yarn group acro..." | Re-trigger Greptile}

[greptile-apps]

basic-ftp security deprecation exposed by lockfile regeneration

The lockfile now includes an explicit deprecation notice for basic-ftp@5.0.5:

deprecated: Security vulnerability fixed in 5.2.0, please upgrade

This warning was surfaced because pnpm re-resolved the lockfile as part of this bump. basic-ftp is a transitive dependency (not introduced by this PR), but now that the lockfile records the deprecation it is worth addressing in a follow-up PR by either upgrading the package that pulls in basic-ftp or adding a pnpm.overrides entry to force basic-ftp@>=5.2.0.

[greptile-apps]

@types/react-dom@18.3.1 snapshot now resolves @types/react to v19

The snapshot entry for @types/react-dom@18.3.1 has changed its peer-resolved @types/react from 18.3.1 to 19.0.12. Mixing @types/react-dom v18 with @types/react v19 types can lead to subtle type-checking discrepancies (e.g., event handler or ref typings that differ between major versions). This is a side-effect of pnpm re-resolving the hoisted peer version, not a direct consequence of the svgo bump. It is worth verifying that TypeScript type-checking still passes cleanly after this PR is merged (pnpm tsc --noEmit).