Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils prior to version 2.0.3 via the name variable in parseQuery.js.
A regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils via the resourcePath variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.
This PR contains the following updates:
2.0.2->2.0.4GitHub Vulnerability Alerts
CVE-2022-37601
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils prior to version 2.0.3 via the name variable in parseQuery.js.
CVE-2022-37599
A regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils via the resourcePath variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.
CVE-2022-37603
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.
Release Notes
webpack/loader-utils (loader-utils)
### [`v2.0.4`](https://togithub.com/webpack/loader-utils/releases/tag/v2.0.4) [Compare Source](https://togithub.com/webpack/loader-utils/compare/v2.0.3...v2.0.4) ##### [2.0.4](https://togithub.com/webpack/loader-utils/compare/v2.0.3...v2.0.4) (2022-11-11) ##### Bug Fixes - ReDoS problem ([#225](https://togithub.com/webpack/loader-utils/issues/225)) ([ac09944](https://togithub.com/webpack/loader-utils/commit/ac09944dfacd7c4497ef692894b09e63e09a5eeb)) ### [`v2.0.3`](https://togithub.com/webpack/loader-utils/releases/tag/v2.0.3) [Compare Source](https://togithub.com/webpack/loader-utils/compare/v2.0.2...v2.0.3) ##### [2.0.3](https://togithub.com/webpack/loader-utils/compare/v2.0.1...v2.0.3) (2022-10-20) ##### Bug Fixes - **security:** prototype pollution exploit ([#217](https://togithub.com/webpack/loader-utils/issues/217)) ([a93cf6f](https://togithub.com/webpack/loader-utils/commit/a93cf6f4702012030f6b5ee8340d5c95ec1c7d4c))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.