Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

loader-utils dependency v2 is vulnerable and should be updated to v3: CVE-2022-37599 #226

Closed
Akkora opened this issue Oct 13, 2022 · 4 comments · May be fixed by #227
Closed

loader-utils dependency v2 is vulnerable and should be updated to v3: CVE-2022-37599 #226

Akkora opened this issue Oct 13, 2022 · 4 comments · May be fixed by #227

Comments

@Akkora
Copy link

Akkora commented Oct 13, 2022

Hello,
as the webpack loader-utils v2 are vulnerable, we get issues when installing resolve-url-loader. Could you please provide an update with the upgraded to v3 loader-utils package?

Link to more vulnerability details
https://nvd.nist.gov/vuln/detail/CVE-2022-37599

@bholloway
Copy link
Owner

Fix is currently blocked. See attached PR.

@G-Rath
Copy link

G-Rath commented Nov 6, 2022

The fix has been backported to v2 of loader-utils, so this should now no longer be an issue on v4 and v5 - however v3 is using still using v1 of loader-utils; I have requested a further backport but am hoping we can actually just upgrade our apps to v4 of resolve-url-loader.

Either way @bholloway I don't think there's any further action required from you, unless you'd be willing to look into seeing if v3 could be upgraded to use v2 of loader-utils.

@G-Rath
Copy link

G-Rath commented Nov 17, 2022

a v1 version of loader-utils with a fix has been released, but v3 of resolve-url-loader pins the dependency at an exact version so it needs to have a new version released either relaxing the constraint to allow minor versions (preferred) or otherwise pinning loader-utils to v1.4.2

@bholloway
Copy link
Owner

Fixed by #229

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants