Closed hgwr closed 1 year ago
Also html-webpack-plugin@4.5.0 has a dependency on loader-utils@^1.2.3. This introduces a transative dependency on JSON5, allowing Prototype Pollution in JSON5 via Parse Method. https://github.com/advisories/GHSA-9c47-m6qq-7p4h
Please update html-webpack-plugin
to the latest version, this version is deprecated and no loger gets updates, sorry, feel free to feedback
Current behaviour π£
html-webpack-plugin v3.2.0 uses loader-utils v0.2.16 with CVE-2022-37601 vulnerability.
https://github.com/jantimon/html-webpack-plugin/blob/v3.2.0/package.json#L50
@vue/cli-service v4.5.19 uses html-webpack-plugin v3.2.0 .
https://github.com/vuejs/vue-cli/blob/v4.5.19/yarn.lock#L10940
So, Dependabot is raising a warning on products using @vue/cli-service v4.5.19.
Expected behaviour βοΈ
It is expected that Dependabot will no longer warn about CVE-2022-37601.
If html-webpack-plugin had a 3.x branch, I could have made a pull request for it, but it does not. So I made a pull request in the repository I forked.
https://github.com/hgwr/html-webpack-plugin/pull/1
Please use the above pull request if you like. And please release v3.2.1 of html-webpack-plugin that uses loader-utils v1.4.2, which is no longer vulnerable.
Reproduction Example πΎ
see https://github.com/jantimon/html-webpack-plugin/blob/v3.2.0/package.json#L50
Environment π₯