v15 using a vulnerable version of webpack loader-utils

[okuuva]

vue-loader before 16.0.0-rc2 depend on a vulnerable version of webpack loader-utils (and vue-style-loader which also depends on the same vulnerable package):

❯ npm audit report
# npm audit report

loader-utils  <2.0.3
Severity: critical
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
fix available via `npm audit fix --force`
Will install vue-loader@17.0.1, which is a breaking change
node_modules/vue-loader/node_modules/loader-utils
node_modules/vue-style-loader/node_modules/loader-utils
  vue-loader  2.0.0 - 16.0.0-rc.2
  Depends on vulnerable versions of loader-utils
  Depends on vulnerable versions of vue-style-loader
  node_modules/vue-loader
  vue-style-loader  *
  Depends on vulnerable versions of loader-utils
  node_modules/vue-style-loader

3 critical severity vulnerabilities

https://nvd.nist.gov/vuln/detail/CVE-2022-37601

[vue-bot]

Hello, thank you for taking time filling this issue!

However, we kindly ask you to use our Issue Helper when creating new issues, in order to ensure every issue provides the necessary information for us to investigate. This explains why your issue has been automatically closed by me (your robot friend!).

I hope to see your helper-created issue very soon!

[haoqunjiang]

https://github.com/webpack/loader-utils/issues/218#issuecomment-1306163826 Fixed in loader-utils@1.4.1