search

FriendsOfSymfony / FOSJsRoutingBundle

A pretty nice way to expose your Symfony routing to client applications.
1.48k stars 260 forks source link

webpack-inject-plugin > loader-utils vulnerability #454

Closed lampelk closed 6 months ago

lampelk commented 1 year ago

There is an issue with loader-utils, a dependency of webpack-inject-plugin:

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable

> npm audit

  High            loader-utils is vulnerable to Regular Expression Denial of    
                  Service (ReDoS) via url variable                              

  Package         loader-utils                                                  

  Patched in      >=1.4.2                                                       

  Dependency of   fos-router                                                    

  Path            fos-router > webpack-inject-plugin > loader-utils             

  More info       https://github.com/advisories/GHSA-3rfm-jhwj-7488             

  High            loader-utils is vulnerable to Regular Expression Denial of    
                  Service (ReDoS)                                               

  Package         loader-utils                                                  

  Patched in      >=1.4.2                                                       

  Dependency of   fos-router                                                    

  Path            fos-router > webpack-inject-plugin > loader-utils             

  More info       https://github.com/advisories/GHSA-hhq3-ff78-jv3g             

  Critical        Prototype pollution in webpack loader-utils                   

  Package         loader-utils                                                  

  Patched in      >=1.4.1                                                       

  Dependency of   fos-router                                                    

  Path            fos-router > webpack-inject-plugin > loader-utils             

  More info       https://github.com/advisories/GHSA-76p3-8jx3-jpfq

loader-utils have patched this issue, however web pack-inject-plugin have no updated or patched this.

I did notice a recommendation to deprecate the package in favour for BannerPlugin:

adierkens/webpack-inject-plugin - Issue #66 - Deprecate this plugin and suggest using the BannerPlugin instead

kissifrot commented 1 year ago

Hello, any update on this? 🙏

Crovitche-1623 commented 1 year ago

Any update ?

ychadwick commented 7 months ago

Update Please, this is a major vulnerability

tobias-93 commented 6 months ago

Dependency is removed in version 3.4.0