bholloway
commented
1 year ago Fix is currently blocked. See attached PR.
Closed Akkora closed 1 year ago
bholloway
commented
1 year ago Fix is currently blocked. See attached PR.
G-Rath
commented
1 year ago The fix has been backported to v2 of loader-utils, so this should now no longer be an issue on v4 and v5 - however v3 is using still using v1 of loader-utils; I have requested a further backport but am hoping we can actually just upgrade our apps to v4 of resolve-url-loader.
Either way @bholloway I don't think there's any further action required from you, unless you'd be willing to look into seeing if v3 could be upgraded to use v2 of loader-utils.
G-Rath
commented
1 year ago a v1 version of loader-utils with a fix has been released, but v3 of resolve-url-loader pins the dependency at an exact version so it needs to have a new version released either relaxing the constraint to allow minor versions (preferred) or otherwise pinning loader-utils to v1.4.2
bholloway
commented
1 year ago Fixed by #229
Hello, as the webpack loader-utils v2 are vulnerable, we get issues when installing resolve-url-loader. Could you please provide an update with the upgraded to v3 loader-utils package?
Link to more vulnerability details https://nvd.nist.gov/vuln/detail/CVE-2022-37599