Dependency `svg-react-loader` uses vulnerable version of `loader-utils`

[zarinacodes]

The dependency svg-react-loader not only uses vulnerable version of loader-utils which is @1.1.0, but also seems to be abandoned as last release was 4 years ago. Is there a chance that you will fork it, fix it or address this issue?

Would appreciate your help here.

[tobiaszciesielski]

Problem is still present. Vulnerable versions of json5 and loader-utils are still in use by gatsby-plugin-react-svg latest version. https://snyk.io/advisor/npm-package/gatsby-plugin-react-svg

# npm audit report

json5  <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
No fix available
node_modules/svg-react-loader/node_modules/json5
  loader-utils  <=1.4.1
  Depends on vulnerable versions of json5
  node_modules/svg-react-loader/node_modules/loader-utils
    svg-react-loader  >=0.4.3
    Depends on vulnerable versions of loader-utils
    node_modules/svg-react-loader
      gatsby-plugin-react-svg  *
      Depends on vulnerable versions of svg-react-loader
      node_modules/gatsby-plugin-react-svg

loader-utils  <=1.4.1
Severity: critical
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
Depends on vulnerable versions of json5
No fix available
node_modules/svg-react-loader/node_modules/loader-utils
  svg-react-loader  >=0.4.3
  Depends on vulnerable versions of loader-utils
  node_modules/svg-react-loader
    gatsby-plugin-react-svg  *
    Depends on vulnerable versions of svg-react-loader
    node_modules/gatsby-plugin-react-svg

[lubo]

Since svg-react-loader is dead, the project should definitely migrate away. In the meantime, you can fix the vulnerabilities in your projects by using package.json overrides, just like in https://github.com/markavenue/website/commit/f26c4c74655ec0c90c956423bc5684f0d642d77b.