Updates loader-utils to 3.2.1 due to Security Vulnerability#834
Updates loader-utils to 3.2.1 due to Security Vulnerability#834boroth wants to merge 2 commits intopmmmwh:mainfrom
Conversation
Review or Edit in CodeSandboxOpen the branch in Web Editor • VS Code • Insiders |
|
I guess this fix may only work on Webpack 5, not sure what the standard way of handling that is in this project. I wouldn't be opposed to trying to get |
| "find-up": "^5.0.0", | ||
| "html-entities": "^2.1.0", | ||
| "loader-utils": "^2.0.4", | ||
| "loader-utils": "^3.2.1", |
There was a problem hiding this comment.
Do we still consume loader-utils directly? If not I'm leaning towards removing this as a dependency to let downstream decide on what version is best for them.
I'll look a bit into if it's possible to have both supported and resolve the vulnerability. In any case I don't think we're really using the code path that is reported, but it's nonetheless good to be on a version where this doesn't warn. |
|
Will be fixed in |
Been resolving some Dependabot alerts in another repo, and ran into an issue with
react-refresh-webpack-pluginneeding to be updated to the newer version ofloader-utils. This just updates the loader-utils package, but I'm also open to doing some additional yarn updating/auditing if people are interested in that.Tests seem to be passing, just need to run a build and see if it's all good to go 👍🏾