Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V3 maintenance: loosen constraints on loader-utils dependency #229

Merged
merged 1 commit into from
Dec 2, 2022
Merged

V3 maintenance: loosen constraints on loader-utils dependency #229

merged 1 commit into from
Dec 2, 2022

Conversation

orien
Copy link

@orien orien commented Dec 2, 2022
edited
Loading

Context

resolve-url-loader version 3 has a dependency on loader-utils version 1.2.3. There are multiple CVEs against loader-utils version 1.2.3. It'd be awesome allow upgrading to a version that includes security patches!

Change

Loosen the constraints on the version of loader-utils to any major version 1, 1.2.3 or above.

This should maintain compatibility.

@orien orien mentioned this pull request Dec 2, 2022
Open
@bholloway
Copy link
Owner

@orien this is to maintain 2 major versions previous.

Generally I go to a lot of effort to make sure the new versions are backwards compatible so people can upgrade without too much trouble. So before looking to do that can you please give reasons why you cannot use v4 or v5?

@orien
Copy link
Author

orien commented Dec 2, 2022

Hi @bholloway, thanks for considering this.

I have a gatsby.js app which is making use of the gatsby-plugin-sass plugin. This plugn has a dependency on resolve-url-loader which is constrained to version 3.

https://github.com/gatsbyjs/gatsby/blob/535c3b44611fb5608df5d78299897019ffdb559a/packages/gatsby-plugin-sass/package.json#L11

The plugin has ~100K weekly downloads, so I imagine there many people in a similar situation to me.

@bholloway
Copy link
Owner

Okay not promising anything but let me fix the latest release and work backwards.

In the mean time I'd suggest putting in an override to get 2.0.4 in your project.

@orien
Copy link
Author

orien commented Dec 2, 2022
edited
Loading

FYI: There are security patches available for loader-utils version 1 (1.4.2).

I expect jumping to this version is less work on this old branch.

@orien
Copy link
Author

orien commented Dec 2, 2022

Perhaps this will help with the maintenance burden #230.

@orien
Copy link
Author

orien commented Dec 2, 2022

I don't think there's any need to fix version V4 and V5. See #227 (comment).

V3 is does have a hard dependency on a vulnerable library though.

@orien
Loosen constraints on loader-utils dependency
a4b6517 
Any major version 1, after 1.2.3 should work.

There are multiple CVEs against version 1.2.3. We should allow upgrading
to a version that includes security patches.

* CVE-2022-37599 - https://nvd.nist.gov/vuln/detail/CVE-2022-37599
* CVE-2022-37601 - https://nvd.nist.gov/vuln/detail/CVE-2022-37601
* CVE-2022-37603 - https://nvd.nist.gov/vuln/detail/CVE-2022-37603
@bholloway
Copy link
Owner

IIRC it should retrigger CI to close and reopen, will try it

@bholloway bholloway closed this Dec 2, 2022
@bholloway bholloway reopened this Dec 2, 2022
@bholloway bholloway merged commit b5baa7f into bholloway:v3-maintenance Dec 2, 2022
@bholloway
Copy link
Owner

Published 3.1.5

@bholloway bholloway mentioned this pull request Dec 2, 2022
Closed
@orien
Copy link
Author

orien commented Dec 2, 2022

Thanks very much @bholloway. I appreciate it 🙇

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@orien @bholloway