ci: downgrade convert-svg-to-png to v0.5.0

[Version 0.6.0 of convert-svg][1] introduced a fix for [CVE-2021-23631][2]. Unfortunately, this fix also breaks our mermaid flowchart SVGs. [1]: https://github.com/neocotic/convert-svg/releases/tag/0.6.0 [2]: https://nvd.nist.gov/vuln/detail/CVE-2021-23631
mermaid-js · Aug 22, 2022 · 79cdadd · 79cdadd
1 parent 38ddaba
commit 79cdadd
Showing 1 changed file with 10 additions and 7 deletions.
diff --git a/.github/workflows/compile-mermaid.yml b/.github/workflows/compile-mermaid.yml
@@ -55,14 +55,17 @@ jobs:
 
       - name: Convert all svg files to png before uploading for automatic inspection
         run: |
-          npm install convert-svg-to-png
-          ls -la ${{env.INPUT_DATA}}
+          ls -la "$INPUT_DATA"
+          svg_files_to_convert=(
+            "$INPUT_DATA"/graph-with-br.mmd.svg
+            "$INPUT_DATA"/graph-with-br.mmd-stdin.svg
+            # svg file is named `-svg` so it doesn't overwrite .png file
+            "$INPUT_DATA"/flowchart1-red-background-svg.svg
+            "$INPUT_DATA"/flowchart1-with-css-svg.svg
+          )
           # This will overwite any PNG files with the same name that have been created by run-tests.sh
-          $(npm bin)/convert-svg-to-png ${{env.INPUT_DATA}}/graph-with-br.mmd.svg
-          $(npm bin)/convert-svg-to-png ${{env.INPUT_DATA}}/graph-with-br.mmd-stdin.svg
-          # svg file is named `-svg` so it doesn't overwrite .png file
-          $(npm bin)/convert-svg-to-png ${{env.INPUT_DATA}}/flowchart1-red-background-svg.svg
-          $(npm bin)/convert-svg-to-png ${{env.INPUT_DATA}}/flowchart1-with-css-svg.svg
+          # v0.5.0 is the last version to correctly convert our SVG files to PNG
+          npx --yes convert-svg-to-png@0.5.0 "${svg_files_to_convert[@]}"
 
       - name: Upload diagrams for manual inspection
         uses: actions/upload-artifact@v3