Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
postcss-svgo
Advanced tools
postcss-svgo
Optimise inline SVG with PostCSS.
Install
With npm do:
npm install postcss-svgo --save
Example
Input
h1 {
background: url('data:image/svg+xml;charset=utf-8,<?xml version="1.0" encoding="utf-8"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve"><circle cx="50" cy="50" r="40" fill="yellow" /></svg>');
}
h2 {
background: url('data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48IURPQ1RZUEUgc3ZnIFBVQkxJQyAiLS8vVzNDLy9EVEQgU1ZHIDEuMS8vRU4iICJodHRwOi8vd3d3LnczLm9yZy9HcmFwaGljcy9TVkcvMS4xL0RURC9zdmcxMS5kdGQiPjxzdmcgdmVyc2lvbj0iMS4xIiBpZD0iTGF5ZXJfMSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxuczp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+PGNpcmNsZSBjeD0iNTAiIGN5PSI1MCIgcj0iNDAiIGZpbGw9InllbGxvdyIgLz48IS0tdGVzdCBjb21tZW50LS0+PC9zdmc+');
}
Output
h1 {
background: url('data:image/svg+xml;charset=utf-8,<svg xmlns="http://www.w3.org/2000/svg"><circle cx="50" cy="50" r="40" fill="%23ff0"/></svg>');
}
h2 {
background: url('data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxjaXJjbGUgY3g9IjUwIiBjeT0iNTAiIHI9IjQwIiBmaWxsPSIjZmYwIi8+PC9zdmc+');
}
API
svgo([options])
options
encode
Type: boolean
Default: undefined
If true, it will encode URL-unsafe characters such as <, > and &;
false will decode these characters, and undefined will neither encode nor
decode the original input. Note that regardless of this setting, # will
always be URL-encoded.
plugins
Optionally, you can customise the output by specifying the plugins option. You
will need to provide the config in comma separated objects, like the example
below. Note that you can either disable the plugin by setting it to false,
or pass different options to change the default behaviour.
var postcss = require('postcss');
var svgo = require('postcss-svgo');
var opts = {
plugins: [{
removeDoctype: false
}, {
removeComments: false
}, {
cleanupNumericValues: {
floatPrecision: 2
}
}, {
convertColors: {
names2hex: false,
rgb2hex: false
}
}]
};
postcss([ svgo(opts) ]).process(css).then(function (result) {
console.log(result.css)
});
You can view the full list of plugins here.
Usage
See the PostCSS documentation for examples for your environment.
Contributors
See CONTRIBUTORS.md.
License
MIT © Ben Briggs
Other packages similar to postcss-svgo
svgo
SVGO is the underlying library that postcss-svgo uses for optimizing SVG files. It can be used directly on SVG files, rather than through CSS, providing a more general-purpose tool for SVG optimization.
gulp-svgmin
This is a Gulp plugin that uses SVGO to optimize SVG files. It's similar to postcss-svgo but is designed to be used in a Gulp-based build process, making it more suitable for workflows that are already using Gulp.
imagemin-svgo
imagemin-svgo is a plugin for Imagemin, another build tool, that also uses SVGO for optimizing SVG files. It's comparable to postcss-svgo but is tailored for use with Imagemin, which can handle various image formats, not just SVG.
grunt-svgmin
This is a Grunt plugin that leverages SVGO to optimize SVG files. It's an alternative to postcss-svgo for those who are using Grunt in their build process.
FAQs
Optimise inline SVG with PostCSS.
The npm package postcss-svgo receives a total of 4,585,095 weekly downloads. As such, postcss-svgo popularity was classified as popular.
We found that postcss-svgo demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 7 open source maintainers collaborating on the project.
Package last updated on 19 May 2021
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025