Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

webpack-inject-plugin > loader-utils vulnerability #454

Closed
lampelk opened this issue Jan 6, 2023 · 4 comments
Closed

webpack-inject-plugin > loader-utils vulnerability #454

lampelk opened this issue Jan 6, 2023 · 4 comments

Comments

@lampelk
Copy link

lampelk commented Jan 6, 2023
edited
Loading

There is an issue with loader-utils, a dependency of webpack-inject-plugin:

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable

> npm audit

  High            loader-utils is vulnerable to Regular Expression Denial of    
                  Service (ReDoS) via url variable                              
                                                                                
  Package         loader-utils                                                  
                                                                                
  Patched in      >=1.4.2                                                       
                                                                                
  Dependency of   fos-router                                                    
                                                                                
  Path            fos-router > webpack-inject-plugin > loader-utils             
                                                                                
  More info       https://github.com/advisories/GHSA-3rfm-jhwj-7488             
                                                                                
                                                                                
  High            loader-utils is vulnerable to Regular Expression Denial of    
                  Service (ReDoS)                                               
                                                                                
  Package         loader-utils                                                  
                                                                                
  Patched in      >=1.4.2                                                       
                                                                                
  Dependency of   fos-router                                                    
                                                                                
  Path            fos-router > webpack-inject-plugin > loader-utils             
                                                                                
  More info       https://github.com/advisories/GHSA-hhq3-ff78-jv3g             
                                                                                
                                                                                
  Critical        Prototype pollution in webpack loader-utils                   
                                                                                
  Package         loader-utils                                                  
                                                                                
  Patched in      >=1.4.1                                                       
                                                                                
  Dependency of   fos-router                                                    
                                                                                
  Path            fos-router > webpack-inject-plugin > loader-utils             
                                                                                
  More info       https://github.com/advisories/GHSA-76p3-8jx3-jpfq

loader-utils have patched this issue, however web pack-inject-plugin have no updated or patched this.

I did notice a recommendation to deprecate the package in favour for BannerPlugin:

adierkens/webpack-inject-plugin - Issue #66 - Deprecate this plugin and suggest using the BannerPlugin instead
@lampelk lampelk changed the title loader-utils vulner loader-utils vulnerab Jan 6, 2023
@lampelk lampelk changed the title loader-utils vulnerab webpack-inject-plugin > loader-utils vulnerability Jan 6, 2023
@kissifrot
Copy link

Hello, any update on this? 🙏

@Crovitche-1623
Copy link

Any update ?

ar10642 pushed a commit to ar10642/FOSJsRoutingBundle that referenced this issue Aug 11, 2023
fix: remove webpack-inject-plugin dependency
e2c2c7e 
As mentioned in FriendsOfSymfony#454
ar10642 pushed a commit to ar10642/FOSJsRoutingBundle that referenced this issue Aug 11, 2023
fix: remove webpack-inject-plugin dependency
21de161 
As mentioned in FriendsOfSymfony#454
@ar10642 ar10642 mentioned this issue Aug 11, 2023
Merged
@ychadwick
Copy link

Update Please, this is a major vulnerability

tobias-93 pushed a commit to ar10642/FOSJsRoutingBundle that referenced this issue Dec 12, 2023
@tobias-93
fix: remove webpack-inject-plugin dependency
6d8bbb9 
As mentioned in FriendsOfSymfony#454
tobias-93 pushed a commit that referenced this issue Dec 12, 2023
@tobias-93
fix: remove webpack-inject-plugin dependency
23b8ec9 
As mentioned in #454
@tobias-93
Copy link
Collaborator

Dependency is removed in version 3.4.0

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@kissifrot @ychadwick @lampelk @tobias-93 @Crovitche-1623