Bump svgo from 3.3.2 to 3.3.3

[dependabot]

Bumps svgo from 3.3.2 to 3.3.3.

Release notes

Sourced from svgo's releases.

v3.3.3

What's Changed

Dependencies

• Migrates from our unsupported fork of sax (@​trysound/sax) to the upstream version of sax (sax).

Bug Fixes

• No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

	v3.3.2	v3.3.3	Delta
svgo.browser.js	910.9 kB	912.9 kB	⬆️ 2 kB

Support

SVGO v3 is not officially supported, please consider upgrading to SVGO v4 instead. We've backported this fix as there are security implications, but there is no commitment to do this for more complex changes in future.

Consider reading our Migration Guide from v3 to v4 which should ease the process.

Commits

• bbab162 deps: upgrade to sax v1.5.0
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Low Risk
Lockfile-only dependency bump; risk is limited to potential SVG optimization/parse behavior changes from the svgo/sax upgrade.

Overview
Updates the svgo dependency from 3.3.2 to 3.3.3 in package-lock.json.

As part of the upgrade, svgo switches from @trysound/sax to upstream sax (bumping sax to 1.5.0 and removing the forked package from the lockfile), updating the transitive dependency tree accordingly.

^{Written by Cursor Bugbot for commit a35b0e9. This will update automatically on new commits. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Here's my review of this Dependabot PR:

---

1. Where svgo is used in this repo

svgo is not a direct dependency of this project. It does not appear in package.json. It is a transitive dependency pulled in by:

• @svgr/plugin-svgo (v8.1.0) — used by Docusaurus's SVG loader
• postcss-svgo (v6.0.3) — used by cssnano via Docusaurus's CSS pipeline

Both are build-time tools for optimizing SVGs and CSS during the Docusaurus site build. They are not runtime/user-facing.

2. Intersection with changed APIs

The v3.3.2 -> v3.3.3 diff is minimal and entirely internal:

• Swaps the XML parser from @trysound/sax (unmaintained fork) to upstream sax@1.5.0 (with a patch applied)
• Adjusts lib/parser.js to adapt to the slightly different error reporting shape of upstream sax (error reason extraction, line/column from the parser instance)
• Adds unparsedEntities: true to the SAX config to prevent errors on DTD comments
• Removes JSDoc type annotations on callbacks (cleanup)

No public API changes. The optimize() function signature, plugin system, and all exports are unchanged. The consumers (@svgr/plugin-svgo, postcss-svgo) call svgo.optimize(svgString, config), which is unaffected.

3. Risks / Unknowns

• Low risk: The only functional change is the XML parser swap. Upstream sax is the original well-maintained library; the fork was a temporary measure. The patch applied by svgo ensures consistent behavior.
• Marginal: Bundle size increases by ~2 kB, irrelevant for a build tool.
• Edge case: If any SVG files in this project use DTD comments or exotic XML entities, behavior could theoretically differ — but this is a fix (previously would throw, now handles correctly).
• No test risk: This is a lockfile-only change with no code changes in this repo.

4. Recommendation

Merge. This is a low-risk patch-level update to a transitive build dependency. It fixes a parsing bug, addresses security implications (per the svgo maintainers), and swaps to a better-maintained XML parser. No API surface changes affect this project.