loader-utils dependency v2 is vulnerable and should be updated to v3: CVE-2022-37599

[Akkora]

Hello,
as the webpack loader-utils v2 are vulnerable, we get issues when installing resolve-url-loader. Could you please provide an update with the upgraded to v3 loader-utils package?

Link to more vulnerability details
https://nvd.nist.gov/vuln/detail/CVE-2022-37599

[bholloway]

Fix is currently blocked. See attached PR.

[G-Rath]

The fix has been backported to v2 of loader-utils, so this should now no longer be an issue on v4 and v5 - however v3 is using still using v1 of loader-utils; I have requested a further backport but am hoping we can actually just upgrade our apps to v4 of resolve-url-loader.

Either way @bholloway I don't think there's any further action required from you, unless you'd be willing to look into seeing if v3 could be upgraded to use v2 of loader-utils.

[G-Rath]

a v1 version of loader-utils with a fix has been released, but v3 of resolve-url-loader pins the dependency at an exact version so it needs to have a new version released either relaxing the constraint to allow minor versions (preferred) or otherwise pinning loader-utils to v1.4.2

[bholloway]

Fixed by #229