Aside from pre/postinstall scripts, I imagine the SVG and/or CSS files gets copied into a folder of static assets.
Depending on how that's done - manual import or part of a build step; specifying file extensions or not; how assets are served, etc. - that could be "vulnerable to code coming downstream".
Aside from pre/postinstall scripts, I imagine the SVG and/or CSS files gets copied into a folder of static assets.
Depending on how that's done - manual import or part of a build step; specifying file extensions or not; how assets are served, etc. - that could be "vulnerable to code coming downstream".