jantimon / html-webpack-plugin

Simplifies creation of HTML files to serve your webpack bundles
MIT License
10.71k stars 1.31k forks source link

html-webpack-plugin v3.2.0 uses loader-utils v0.2.16 with CVE-2022-37601 #1775

Closed hgwr closed 1 year ago

hgwr commented 1 year ago

Current behaviour πŸ’£

html-webpack-plugin v3.2.0 uses loader-utils v0.2.16 with CVE-2022-37601 vulnerability.

https://github.com/jantimon/html-webpack-plugin/blob/v3.2.0/package.json#L50

@vue/cli-service v4.5.19 uses html-webpack-plugin v3.2.0 .

https://github.com/vuejs/vue-cli/blob/v4.5.19/yarn.lock#L10940

So, Dependabot is raising a warning on products using @vue/cli-service v4.5.19.

Expected behaviour β˜€οΈ

It is expected that Dependabot will no longer warn about CVE-2022-37601.

If html-webpack-plugin had a 3.x branch, I could have made a pull request for it, but it does not. So I made a pull request in the repository I forked.

https://github.com/hgwr/html-webpack-plugin/pull/1

Please use the above pull request if you like. And please release v3.2.1 of html-webpack-plugin that uses loader-utils v1.4.2, which is no longer vulnerable.

Reproduction Example πŸ‘Ύ

see https://github.com/jantimon/html-webpack-plugin/blob/v3.2.0/package.json#L50

"loader-utils": "^0.2.16",

Environment πŸ–₯

$ node -e "var os=require('os');console.log('Node.js ' + process.version + '\n' + os.platform() + ' ' + os.release())"
Node.js v14.18.2
darwin 21.6.0
$ npm --version
6.14.15
$ npm ls webpack
β”œ  @vue/cli-plugin-babel@4.3.1
β”‚ β”” webpack@4.46.0  deduped
β”œ  @vue/cli-plugin-eslint@4.3.1
β”‚ β”” webpack@4.46.0  deduped
β”œ  @vue/cli-plugin-pwa@4.3.1
β”‚ β”” webpack@4.46.0  deduped
β”œ  @vue/cli-plugin-typescript@4.3.1
β”‚ β”” webpack@4.46.0  deduped
β”œ  @vue/cli-service@4.5.19
β”‚ β”” webpack@4.46.0  deduped
β””  webpack@4.46.0
$ npm ls html-webpack-plugin
β””  @vue/cli-service@4.5.19
  β””  html-webpack-plugin@3.2.0
LaurensUP commented 1 year ago

Also html-webpack-plugin@4.5.0 has a dependency on loader-utils@^1.2.3. This introduces a transative dependency on JSON5, allowing Prototype Pollution in JSON5 via Parse Method. https://github.com/advisories/GHSA-9c47-m6qq-7p4h

alexander-akait commented 1 year ago

Please update html-webpack-plugin to the latest version, this version is deprecated and no loger gets updates, sorry, feel free to feedback