A friendly, open source React iconset

Last update: May 8, 2022

Supercons

A friendly set of open source React icons.

Preview & search the iconset

Massive credit to @superbryntendo for the original set of icons & aesthetic inspiration.

Predecessor projects: spectrum-icons, @hackclub/icons

Banner with fun styling of Supercons

Usage

yarn add supercons
# npm i supercons
) ">
import React from 'react'
import Icon from 'supercons'

export default () => (
  <div style={{ color: 'magenta' }}>
    <Icon glyph="like" size={128} />
    <Icon glyph="cloud" size={32} />
  </div>
)

Built with/supports TypeScript.

Props

Prop Type Default Details
glyph String, required like See docs
size Number or string 32 Sets width & height
as React component svg Must render svg tag

You can also pass any other props. Remember to make your icons accessible with aria-label or title, use aria-hidden if they’re purely decorative, etc.

Development setup

  1. Clone & enter the repo.
$ git clone https://github.com/lachlanjc/supercons.git
$ cd supercons
  1. Install dependencies.
$ yarn
  1. Run docs locally.
yarn run dev
  1. After making changes to icons, build the library.
yarn run prepare

To-do list

  • Drop PropTypes for TypeScript (thanks @anirudhb!)
  • Use Microbundle for build
  • Allow tree-shaking by programatically generating a component for each icon
  • Forward refs (with proper TypeScript support)
  • Add more icons

GitHub

https://github.com/lachlanjc/supercons
Comments
  • 1. Bump next from 11.1.3 to 12.1.0 in /docs

    Bumps next from 11.1.3 to 12.1.0.

    Release notes

    Sourced from next's releases.

    v12.1.0

    Core Changes

    • Relay Support in Rust Compiler: #33702
    • fix eslint link-passhref rule: #33857
    • update webpack: #33831
    • Flush buffered vitals metrics on page mount: #33867
    • fix problem with HMR when middleware and page reference the same node_module: #33873
    • Refactor page component getter in web server: #33759
    • update NextResponse default redirect status to 307 to match docs: #33505
    • Bug fix: dynamic page should not be interpreted as predefined page: #33808
    • Group streaming experimental apis: #33878
    • Encapsulate routing and initial hydration: #33875
    • Optimize offline condition judgment: #33238
    • Ensure external beforeFiles rewrites are handled with next/link: #33888
    • Fix parsing params for i18n optional route in minimal mode: #33896
    • Ensure browserslist extends works properly: #33890
    • Fix image cache race condition: #33883
    • Add support for Relay projects without artifactDirectory: #33918
    • fix: handle jsxspreadattribute in inline-script-id eslint rule: #32421
    • feat(next-swc): Update swc: #33724
    • Update to latest version of amphtml-validator: #33967
    • Warn in dev mode when script tags are added with next/head: #33968
    • Ensure optional chaining in swc matches babel: #33995
    • Use react-dom/server.browser in Node.js: #33950
    • Ensure external middleware rewrite is handled correctly: #33962
    • Update Terser to v5.10.0, fix minification issues: #33045
    • Warn in dev mode when stylesheets are added using next/head: #34004
    • Use ReadableStream in RenderResult: #34005
    • Fix suffix ordering while streaming: #34011
    • Don't use yarn if a package-lock.json file is found: #31926
    • Do not warn when application/ld+json scripts are used with next/head: #34021
    • Babel & next-swc: Fix exporting page config with AsExpression: #32702
    • Detect per page runtime config for functions manifest: #33945
    • Add JSDoc to config options: #32915
    • Update font-stylesheet-gathering-plugin.ts: #30709
    • Add decoratorMetadata flag if enabled by tsconfig: #32914
    • fix: data url handling in css-loader: #34034
    • Place 'charset' element at the top of : #28119
    • Fix detection of anchor click events inside svg: #23272
    • Allow passing nothing as custom jest config: #32328
    • Fixes #31240: Adding a recursive addPackagePath function in webpack-config: #31264
    • Require component rendered as child of Link to pass event to onClick handler: #27723
    • Allow scroll prevention on hash change: #31921
    • Add support for async fn / promise in next.config.js/.mjs: #33662
    • Fix lazyRoot functionality for next/image: #33933
    • Change SWC minify from beta to release candidate: #34056
    • Make Router state immutable: #33925
    • Stop exposing internal render and renderError methods from next/client: #34069
    • Add api-utils helper for testing: #34078

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    Reviewed by dependabot[bot] at 2022-02-17 21:06
  • 2. Bump nanoid from 3.1.20 to 3.2.0

    ⚠️ Dependabot is rebasing this PR ⚠️

    Rebasing might not happen immediately, so don't worry if this takes some time.

    Note: if you make any changes to this PR yourself, they will take precedence over the rebase.


    Bumps nanoid from 3.1.20 to 3.2.0.

    Changelog

    Sourced from nanoid's changelog.

    Change Log

    This project adheres to Semantic Versioning.

    3.2

    • Added --size and --alphabet arguments to binary (by Vitaly Baev).

    3.1.32

    • Reduced async exports size (by Artyom Arutyunyan).
    • Moved from Jest to uvu (by Vitaly Baev).

    3.1.31

    • Fixed collision vulnerability on object in size (by Artyom Arutyunyan).

    3.1.30

    • Reduced size for project with brotli compression (by Anton Khlynovskiy).

    3.1.29

    • Reduced npm package size.

    3.1.28

    • Reduced npm package size.

    3.1.27

    • Cleaned dependencies from development tools.

    3.1.26

    • Improved performance (by Eitan Har-Shoshanim).
    • Reduced npm package size.

    3.1.25

    • Fixed browserify support.

    3.1.24

    • Fixed browserify support (by Artur Paikin).

    3.1.23

    • Fixed esbuild support.

    3.1.22

    • Added default and browser.default to package.exports.

    3.1.21

    • Reduced npm package size.
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    Reviewed by dependabot[bot] at 2022-01-22 02:26
  • 3. Bump nanoid from 3.1.25 to 3.2.0 in /docs

    Bumps nanoid from 3.1.25 to 3.2.0.

    Changelog

    Sourced from nanoid's changelog.

    Change Log

    This project adheres to Semantic Versioning.

    3.2

    • Added --size and --alphabet arguments to binary (by Vitaly Baev).

    3.1.32

    • Reduced async exports size (by Artyom Arutyunyan).
    • Moved from Jest to uvu (by Vitaly Baev).

    3.1.31

    • Fixed collision vulnerability on object in size (by Artyom Arutyunyan).

    3.1.30

    • Reduced size for project with brotli compression (by Anton Khlynovskiy).

    3.1.29

    • Reduced npm package size.

    3.1.28

    • Reduced npm package size.

    3.1.27

    • Cleaned dependencies from development tools.

    3.1.26

    • Improved performance (by Eitan Har-Shoshanim).
    • Reduced npm package size.
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    Reviewed by dependabot[bot] at 2022-01-22 02:26
  • 4. Bump ansi-regex from 5.0.0 to 5.0.1 in /docs

    Bumps ansi-regex from 5.0.0 to 5.0.1.

    Release notes

    Sourced from ansi-regex's releases.

    v5.0.1

    Fixes (backport of 6.0.1 to v5)

    This is a backport of the minor ReDos vulnerability in [email protected]<6.0.1, as requested in #38.

    • Fix ReDoS in certain cases (#37) You are only really affected if you run the regex on untrusted user input in a server context, which it's very unlikely anyone is doing, since this regex is mainly used in command-line tools.

    CVE-2021-3807

    https://github.com/chalk/ansi-regex/compare/v5.0.0..v5.0.1

    Thank you @​yetingli for the patch and reproduction case!

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    Reviewed by dependabot[bot] at 2021-12-20 18:33
  • 5. Bump next from 11.1.1 to 11.1.3 in /docs

    Bumps next from 11.1.1 to 11.1.3.

    Release notes

    Sourced from next's releases.

    v11.1.3

    See https://github.com/vercel/next.js/releases/v12.0.5 for details about this patch.

    v11.1.3-canary.105

    Core Changes

    • Update swc-minify-enabled link: #30290
    • Fix middleware header propagation: #30288
    • Move outputFileTracing config up: #30295
    • Track usage of swc features: #30297
    • Ensure null bytes in resolved path are handled: #30313
    • Improve deprecation errors for new middleware API: #30316

    Documentation Changes

    Example Changes

    • Update image component example to use AVIF: #30294

    Credits

    Huge thanks to @​ijjk, @​styfle, @​padmaia, @​javivelasco, and @​leerob for helping!

    v11.1.3-canary.104

    Misc Changes

    • Add necessary workflow job dependencies: #30291

    v11.1.3-canary.103

    Core Changes

    • Warn when mutating res if not streaming: #30284
    • Chore/publish all swc: #30289

    Credits

    Huge thanks to @​kara for helping!

    v11.1.3-canary.102

    Core Changes

    • Add warning when LCP image is missing priority prop: #30221
    • New Middleware API signature: #30282
    • Fix trace case with tsconfig/jsconfig baseUrl: #30286

    Documentation Changes

    ... (truncated)

    Commits
    Maintainer changes

    This version was pushed to npm by vercel-release-bot, a new releaser for next since your current version.


    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    Reviewed by dependabot[bot] at 2021-12-09 03:07
  • 6. Bump next from 11.1.0 to 11.1.1 in /docs

    Bumps next from 11.1.0 to 11.1.1.

    Release notes

    Sourced from next's releases.

    v11.1.1

    Core Changes

    • Next.js swc publish flow: #27984
    • Ensure config file message is only shown once: #28017
    • Add missing fields to NextConfig type: #27974
    • use a shared worker pool for collecting page data and static page generation: #27924
    • Use @​next scope for native packages: #28046
    • Fix generateBuildId type that can be async function: #28040
    • Fix image optimization encoding url: #28045
    • Clean up Document in preparation for streaming: #28032
    • Render as a concatenation of streams: #28082
    • Add support for dynamic HTML: #28085
    • Support suspense in next dynamic: #27611
    • Handle blob urls in image component: #27975
    • Bypass webpack compilation for precompiled @​next/polyfills-nomodule: #27596
    • Update util to 0.12.4: #27939
    • Remove duplicate doctypes: #28089
    • Fix revalidate for initial notFound: true paths: #28097
    • Add proper error when failing to load next.config.js: #28099
    • Fix: wrong link error message: #28127
    • Add support for Jaeger trace target: #28129
    • Enable pure client suspense in blocking rendering: #28165
    • Add entrypoint tracing: #25538
    • Add module type to build-module trace: #28128
    • Update to latest babel versions: #28174
    • Improve jaeger traces: #28168
    • fix development mode bug with pages with "+" and other special characters: #28122
    • let loaders automatically infer source map setting: #28204
    • Avoid fs write next-env.d.ts on read-only filesystems: #28206
    • Document usage of suspense option of next/dynamic: #28210
    • Add warning when parent styles break next/image: #28221
    • Use zen-observable library: #28214
    • Fix HMR when custom _app or _document is removed: #28227
    • Add relationship between issuer and module to traces: #28192
    • Update generating next-server dependencies: #28223
    • Fix next/image blur placeholder when JS is disabled: #28269
    • Ensure adding _app/_document HMRs correctly: #28279
    • upgrade webpack to 5.51.1: #28291
    • [ESLint] Adds process.exit to next lint success output: #28299
    • Fix next env vars injection in dynamic: #28309
    • Add layout to data-nimg attribute: #28312
    • Add data attribute to script component: #28310
    • Ensure @​babel/core is de-duped when nccing: #28384
    • Fix forked NODE_OPTIONS except for inspect: #28420
    • [ESLint] Enable caching by default: #28349
    • Update test config to leverage swc: #28400
    • Add missing typescript property to NextConfig: #28459
    • next/script fix duplicate scripts : #28428
    • Ensure error is shown correctly for empty headers field: #28430

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    Reviewed by dependabot[bot] at 2021-09-01 19:29
  • 7. Bump color-string from 1.5.4 to 1.6.0

    ⚠️ Dependabot is rebasing this PR ⚠️

    Rebasing might not happen immediately, so don't worry if this takes some time.

    Note: if you make any changes to this PR yourself, they will take precedence over the rebase.


    Bumps color-string from 1.5.4 to 1.6.0.

    Release notes

    Sourced from color-string's releases.

    1.6.0

    Minor release 1.6.0

    • #55 - Add support for space-separated HSL

    Thanks @​htunnicliff for the contribution :)

    1.5.5 (Patch/Security Release) - hwb() ReDos patch (low-severity)

    Release notes copied verbatim from the commit message, which can be found here: 0789e21284c33d89ebc4ab4ca6f759b9375ac9d3

    Discovered by Yeting Li, c/o Colin Ife via Snyk.io.
    

    A ReDos (Regular Expression Denial of Service) vulnerability was responsibly disclosed to me via email by Colin on Mar 5 2021 regarding an exponential time complexity for linearly increasing input lengths for hwb() color strings.

    Strings reaching more than 5000 characters would see several milliseconds of processing time; strings reaching more than 50,000 characters began seeing 1500ms (1.5s) of processing time.

    The cause was due to a the regular expression that parses hwb() strings - specifically, the hue value - where the integer portion of the hue value used a 0-or-more quantifier shortly thereafter followed by a 1-or-more quantifier.

    This caused excessive backtracking and a cartesian scan, resulting in exponential time complexity given a linear increase in input length.

    Thank you Yeting Li and Colin Ife for bringing this to my attention in a secure, responsible and professional manner.

    A CVE will not be assigned for this vulnerability.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    Reviewed by dependabot[bot] at 2021-08-13 03:27
  • 8. Bump color-string from 1.5.4 to 1.6.0 in /docs

    Bumps color-string from 1.5.4 to 1.6.0.

    Release notes

    Sourced from color-string's releases.

    1.6.0

    Minor release 1.6.0

    • #55 - Add support for space-separated HSL

    Thanks @​htunnicliff for the contribution :)

    1.5.5 (Patch/Security Release) - hwb() ReDos patch (low-severity)

    Release notes copied verbatim from the commit message, which can be found here: 0789e21284c33d89ebc4ab4ca6f759b9375ac9d3

    Discovered by Yeting Li, c/o Colin Ife via Snyk.io.
    

    A ReDos (Regular Expression Denial of Service) vulnerability was responsibly disclosed to me via email by Colin on Mar 5 2021 regarding an exponential time complexity for linearly increasing input lengths for hwb() color strings.

    Strings reaching more than 5000 characters would see several milliseconds of processing time; strings reaching more than 50,000 characters began seeing 1500ms (1.5s) of processing time.

    The cause was due to a the regular expression that parses hwb() strings - specifically, the hue value - where the integer portion of the hue value used a 0-or-more quantifier shortly thereafter followed by a 1-or-more quantifier.

    This caused excessive backtracking and a cartesian scan, resulting in exponential time complexity given a linear increase in input length.

    Thank you Yeting Li and Colin Ife for bringing this to my attention in a secure, responsible and professional manner.

    A CVE will not be assigned for this vulnerability.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    Reviewed by dependabot[bot] at 2021-08-13 03:27
  • 9. Bump next from 10.0.6 to 11.1.0 in /docs

    Bumps next from 10.0.6 to 11.1.0.

    Release notes

    Sourced from next's releases.

    v11.1.0

    A security team from one of our partners noticed an issue in Next.js that allowed for an open redirect to occur.

    Specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site.

    In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.

    We recommend upgrading to the latest version of Next.js to improve the overall security of your application.

    How to Upgrade

    • We have released patch versions for both the stable and canary channels of Next.js.
    • To upgrade run npm install [email protected] --save

    Impact

    • Affected: Users of Next.js between 10.0.5 and 10.2.0
    • Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js without getInitialProps
    • Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js and next export
    • Not affected: Deployments on Vercel (vercel.com) are not affected
    • Not affected: Deployments with pages/404.js

    We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

    How to Assess Impact

    If you think sensitive code or data could have been exposed, you can filter logs of affected sites by // (double slash at the start of the url) followed by a domain.

    What is Being Done

    As Next.js has grown in popularity and usage by enterprises, it has received the attention of security researchers and auditors. We are thankful to Gabriel Benmergui from Robinhood for their investigation and discovery of the original bug and subsequent responsible disclosure.

    We've landed a patch that ensures path parsing is handled properly for these paths so that the open redirect can no longer occur.

    Regression tests for this attack were added to the security integration test suite

    • We have notified known Next.js users in advance of this publication.
    • A public CVE was released.
    • We encourage responsible disclosure of future reports. Please email us at [email protected]. We are actively monitoring this mailbox.

    Release notes

    Core Changes

    • Don't test image domains in test env: #26502
    • Fix props not updating when changing the locale and keeping hash: #26205
    • Allow user to override next-image-loader: #26548
    • Add logging when a custom babelrc is loaded: #26570

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    Reviewed by dependabot[bot] at 2021-08-13 03:19
  • 10. Bump path-parse from 1.0.6 to 1.0.7

    Bumps path-parse from 1.0.6 to 1.0.7.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    Reviewed by dependabot[bot] at 2021-08-13 00:15
  • 11. Bump postcss from 7.0.35 to 7.0.36

    Bumps postcss from 7.0.35 to 7.0.36.

    Release notes

    Sourced from postcss's releases.

    7.0.36

    • Backport ReDoS vulnerabilities from PostCSS 8.
    Changelog

    Sourced from postcss's changelog.

    7.0.36

    • Backport ReDoS vulnerabilities from PostCSS 8.
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    Reviewed by dependabot[bot] at 2021-06-15 20:31
  • 12. Bump minimist from 1.2.5 to 1.2.6

    Bumps minimist from 1.2.5 to 1.2.6.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    Reviewed by dependabot[bot] at 2022-03-29 05:32
  • 13. Could not find a declaration file for module 'supercons'.

    Could not find a declaration file for module 'supercons'. 'node_modules/supercons/dist/index.js' implicitly has an 'any' type. Try npm i --save-dev @types/supercons if it exists or add a new declaration (.d.ts) file containing declare module 'supercons';

    Reviewed by zycoder142 at 2021-04-24 07:35
React icon component for Geomicons Open

react-geomicons React icon component for Geomicons Open View Demo Getting Started npm install --save react-geomicons var React = require('react'); var

Jan 27, 2022
SVG library for React Native, React Native Web, and plain React web projects.
SVG library for React Native, React Native Web, and plain React web projects.

react-native-svg react-native-svg provides SVG support to React Native on iOS and Android, and a compatibility layer for the web. Check out the demo L

May 12, 2022
ICONSAX for React and React Native ✌️

ICONSAX for React and React Native ✌️

May 9, 2022
SVG Vue/React components integrated from fluentui-system-icons, ionicons, ant-design-icons, material-design-icons, Font-Awesome, tabler-icons and carbon icons. (Vue3, Vue2, React, SVG)

SVG Vue/React components integrated from fluentui-system-icons, ionicons, ant-design-icons, material-design-icons, Font-Awesome, tabler-icons and carbon icons. (Vue3, Vue2, React, SVG)

May 12, 2022
Iconify icon component for React

This repository contains old version 1 of Iconify for React. The latest version has been moved to Iconify monorepo: https://github.com/iconify/iconify

May 7, 2022
svg react icons of popular icon packs

React Icons Include popular icons in your React projects easily with react-icons, which utilizes ES6 imports that allows you to include only the icons

May 17, 2022
A React SVG components library of Framework7 Icons with better usability.
A React SVG components library of Framework7 Icons with better usability.

A React SVG components library of Framework7 Icons > npm install react-f7-icons import F7Icon from 'react-f7-icons' export default function Component

Sep 9, 2021
Transform SVG to React Chakra UI
Transform SVG to React Chakra UI <Icon /> ✨

Transform SVG to React Chakra UI ✨ from SVG file to CODE Features Transform <SVG/> to Chakra-UI Icon Component or Functional createIcon(...). <Icon />

May 9, 2022
Akar icons library as React components.
Akar icons library as React components.

akar-icons A perfectly rounded icon library made for designers, developers, and pretty much everyone. Explore all of our icons at akaricons.com. Get S

May 4, 2022
57 SVG icons for CRUD applications, packaged as a React component with light & dark themes and tooltip.
57 SVG icons for CRUD applications, packaged as a React component with light & dark themes and tooltip.

React-CRUD-Icons · React-CRUD-Icons is a set of SVG icons for CRUD (Create, Read, Update, Delete) apps, implemented as a React component with light &

Apr 10, 2022
🌈 React component for Iconly icons

?? React Iconly Icons React component for Iconly icons react-iconly is a collection of simply beautiful open source icons for React.js. Each icon is d

May 10, 2022
🎨 Tabler Icons for React

tabler-icons-react A library of React components for Tabler Icons — a set of over free 700 open-sourced MIT-licensed icons. Usage The package is avail

May 13, 2022
📦 This package provides the Simple Icons packaged as a set of React components.

react-simple-icons This package provides a React component for simple-icons. Installation Install the package in your project directory with: // with

May 2, 2022
Accessible SVG icon component for React

react-svg-icon Accessible SVG icon component for React. Check out the online demo! Usage npm install --save react-svg-icon import Icon from 'react-svg

Jan 9, 2020
Iconography for Grommet and React.js

grommet-icons Iconography for Grommet and React.js Install npm install grommet-icons grommet-styles --save or yarn add grommet-icons grommet-styles Us

May 3, 2022
svg social icons in react
svg social icons in react

react-social-icons A set of beautiful svg social icons. Easily used in React. No images or external css dependencies. Svg paths provided by Squarespac

May 4, 2022
React FontIconPicker Component to pick icon or SVG from a selection.
React FontIconPicker Component to pick icon or SVG from a selection.

React FontIconPicker Component A react version of fontIconPicker. This is rewritten and is not a wrapper around jQuery version. With FontIconPicker co

May 10, 2022
Bytesize Icons as React Components.

Bytesize icons as React components. All the icons were designed by Dan Klammer. Find the original SVG icons here. How to install? npm install --save r

Apr 9, 2022
React component for font awesome
React component for font awesome

react-icon React component for font awesome Installation npm install sitb-react-icon Usage Dependencies Depend on the style of the font-awesome libra

Oct 23, 2017