Closed orien closed 1 year ago
bholloway
commented
1 year ago @orien this is to maintain 2 major versions previous.
Generally I go to a lot of effort to make sure the new versions are backwards compatible so people can upgrade without too much trouble. So before looking to do that can you please give reasons why you cannot use v4 or v5?
orien
commented
1 year ago Hi @bholloway, thanks for considering this.
I have a gatsby.js app which is making use of the gatsby-plugin-sass plugin. This plugn has a dependency on resolve-url-loader which is constrained to version 3.
The plugin has ~100K weekly downloads, so I imagine there many people in a similar situation to me.
bholloway
commented
1 year ago Okay not promising anything but let me fix the latest release and work backwards.
In the mean time I'd suggest putting in an override to get 2.0.4 in your project.
orien
commented
1 year ago FYI: There are security patches available for loader-utils version 1 (1.4.2).
I expect jumping to this version is less work on this old branch.
orien
commented
1 year ago Perhaps this will help with the maintenance burden #230.
orien
commented
1 year ago I don't think there's any need to fix version V4 and V5. See https://github.com/bholloway/resolve-url-loader/pull/227#issuecomment-1334802126.
V3 is does have a hard dependency on a vulnerable library though.
bholloway
commented
1 year ago IIRC it should retrigger CI to close and reopen, will try it
orien
commented
1 year ago Thanks very much @bholloway. I appreciate it 🙇
Context
resolve-url-loaderversion 3 has a dependency onloader-utilsversion 1.2.3. There are multiple CVEs againstloader-utilsversion 1.2.3. It'd be awesome allow upgrading to a version that includes security patches!Change
Loosen the constraints on the version of
loader-utilsto any major version 1, 1.2.3 or above.This should maintain compatibility.