Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update dependencies #227

Open
wants to merge 2 commits into
base: v5
Choose a base branch
from
Open

update dependencies #227

wants to merge 2 commits into from

Conversation

bholloway
Copy link
Owner

Fixes #226

@bholloway
Copy link
Owner Author

Webpack 4 tests are failing. Looks like we are unable to use loader-utils@3 due to getOptions() being removed.

See discussion.

@bholloway
Copy link
Owner Author

bholloway commented Oct 14, 2022
edited
Loading

One possible solution here is to merge just the 2nd commit which inlines loaderUtils.isUrlRequest() but not update any dependencies.

That doesn't fix resolve-url-loader but would allow users with any webpack@5 project to make a local dependency override and use loaderUtils@3 without breaking functionality.

@G-Rath G-Rath mentioned this pull request Nov 6, 2022
Closed
naresh2071
naresh2071 reviewed Nov 11, 2022
View reviewed changes
packages/resolve-url-loader/lib/value-processor.js Outdated
@@ -128,7 +158,7 @@ function valueProcessor({ join, root, directory }) {
* @return {boolean} True for absolute uri
*/
function testIsAbsolute(uri) {
return !!uri && (typeof root === 'string') && loaderUtils.isUrlRequest(uri, root) &&
return !!uri && (typeof root === 'string') && isUrlRequest(uri, root) &&
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bholloway why cannot we use the loaderUtils.isUrlRequest by just upgrading the loader utils version?

@mmalka
Copy link

mmalka commented Dec 1, 2022
edited
Loading

Hello @bholloway, they apparently backported a fix to all their major version, can we just get the hotfix that doesn't suppress options ?

Choose your weapon: https://github.com/webpack/loader-utils/releases

Proposed update :
"loader-utils": "^2.0.4"

and nothing else is needed.

@orien
Copy link

orien commented Dec 2, 2022

I've proposed a fix for version 3 in #229.

@bholloway
Copy link
Owner Author

looking again at this now

@orien
Copy link

orien commented Dec 2, 2022
edited
Loading

The resolve-url-loader constraint in version 4 and version 5 already allows downstream users to upgrade to a patched version of loader-utlis.

Version 5.0.0 allows loader-utils v2.0.4: https://github.com/bholloway/resolve-url-loader/blob/5.0.0/packages/resolve-url-loader/package.json#L40

Version 4.0.0 allows loader-utils v2.0.4:https://github.com/bholloway/resolve-url-loader/blob/4.0.0/packages/resolve-url-loader/package.json#L40

I don't think there's any urgency to release changes to these versions.

@orien orien mentioned this pull request Dec 2, 2022
Merged
@bholloway
Copy link
Owner Author

Hmm yes good point @orien

@bholloway bholloway mentioned this pull request Dec 2, 2022
Closed
@bholloway
Copy link
Owner Author

Current state of this change is that

  1. its not strictly necessary since vulnerabilities have been solved
  2. there is some CI issues because tests - probably because I have selected old Sass with old Node and the Node LTS has moved forward a long way

I will put this on hold and come back to it later but (2) might block any later work to update dependencies

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@naresh2071 naresh2071 naresh2071 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

loader-utils dependency v2 is vulnerable and should be updated to v3: CVE-2022-37599
4 participants
@bholloway @mmalka @orien @naresh2071