Alexander-Taran
commented
3 years ago Would you like to provide a pull request for it @rmja ?
Closed rmja closed 1 year ago
Alexander-Taran
commented
3 years ago Would you like to provide a pull request for it @rmja ?
rmja
commented
3 years ago I don't think that i know the internals of webpack and this plugin good enough to do this...
MaximBalaganskiy
commented
1 year ago bump! there's a critical vulnerability in bundle-loader -> loader-utils@1.4.1
Alexander-Taran
commented
1 year ago @bigopon ping
Garbageous
commented
1 year ago Is there an ETA on a fix for this? Our SCA tool is giving us warnings about this.
bigopon
commented
1 year ago I'll get on this soon.
bigopon
commented
1 year ago I'm not aware of a replacement for bundle-loader, I think the simplest fix which I'll apply is to have a local copy in the dist of tis plugin and use it instead, then remove the dep on bundle-loader.
rmja
commented
1 year ago @bigopon if you do that, then please add this fix: https://github.com/webpack-contrib/bundle-loader/pull/75
bigopon
commented
1 year ago v 5.0.5 has been published for the fix of this issue. Thanks everyone.
@rmja we can't just change it, can you help create a fail test case? Or if you want, can bundle the failing test case with your fix in a PR.
I'm submitting a feature request
Current behavior: The plugin depends on bundle-loader as a runtime dependency, but that library is currently archived on GitHub and is no longer maintained. It has issues that have not been addressed for years, so it would be really nice if the plugin did not depend on its existence.
Expected/desired behavior: Avoid using the deprecated bundle-loader dependency, and maybe replace its use with dynamic imports.