plasticlobster
commented
1 year ago Looks like https://github.com/shakacode/bootstrap-loader/pull/410 resolves this.
Is there a scheduled NPM release that may include this?
Closed plasticlobster closed 1 year ago
plasticlobster
commented
1 year ago Looks like https://github.com/shakacode/bootstrap-loader/pull/410 resolves this.
Is there a scheduled NPM release that may include this?
plasticlobster
commented
1 year ago @justin808 sorry to be so persistent.. I see that @dargmuesli asked a couple of weeks ago in #410 if you would tag a new release. Can that please happen? This CVE is extremely serious.
justin808
commented
1 year ago @plasticlobster I just pushed 4.0.2.
plasticlobster
commented
1 year ago @plasticlobster I just pushed 4.0.2.
Thanks so much! This cleared our critical dependabot alerts...
There's a less serious CVE-2022-37603 (7.5/10) that needs a version bump to loader-utils 1.4.2 to clear, but I'm able to force that install on my end using yarn.
It would be amazing if bootstrap-loader could change its dependency to ^1.0.0 (or better yet ^2.0.0) instead of hard-versioning on individual versions.
But I do appreciate you getting this released. It's a huge help. Thank you.
The current version of bootstrap-loader has a hard-versioned dependency on loader-utils 1.2.3.
loader-utils < 1.4.1 has a critical CVE (9.8/10) (CVE-2022-37601) - https://nvd.nist.gov/vuln/detail/CVE-2022-37601
Is there any chance this lib can be bumped without causing issues?