Comments (8)
bholloway
commented on May 19, 2024
4
Please migrate to 3 version, 2 version is deprecated and doesn't supported, thank you
From what I can see loader.getOptions() was removed in version 3 and the loader this. getOptions() was introduced webpack@5 meaning there is no solution here for webpack@4 and earlier.
I accept that updating to version 3 is not much of an ask but updating older projects to webpack@5 is a stretch. Is there some other workaround?
from loader-utils.
nalbion
commented on May 19, 2024
1
@Supraja9726 There is no information regarding CVE-2022-37599 on any of the usual sites. Does migrating to version 3 resolve the issue? Can this vulnerability be ignored by projects?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37599
from loader-utils.
alexander-akait
commented on May 19, 2024
1
Maybe this #215 too
from loader-utils.
alexander-akait
commented on May 19, 2024
Please migrate to 3 version, 2 version is deprecated and doesn't supported, thank you
from loader-utils.
Yogu
commented on May 19, 2024
This issue is linked in an npm advisory for version 3.2.0 of this library. This occurs on a clean new angular project.
# npm audit report
loader-utils ≤ 3.2.0
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js. - https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38,https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L83,https://github.com/webpack/loader-utils/issues/211
fix available via `npm audit fix --force`
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/loader-utils
@angular-devkit/build-angular >=13.1.0-next.0
Depends on vulnerable versions of loader-utils
node_modules/@angular-devkit/build-angular
I'm a bit confused - this issue here is closed and only talks about version 2. Is version 3.2.0 affected, too? Will there be a fix for it? Or is the advisory wrong?
Edit: I see this has been reported already in #214 (comment). It's probably an npm bug where npm gets confused about the dependency path. There's been tons of these issues around npm since version 8... (or the advisory for this package actually states that it affects 3.2.0. It states <= 3.2.0, is that a typo and should have been < 3.2.0?)
from loader-utils.
jeran-urban
commented on May 19, 2024
The main issues around Regex DOS attacks is in badly formed queries that are not strict enough, and no exit condition involving a time limit for processing. If you ensure that the query is perfectly formed or at least add an exit condition based on a time limit (a few seconds) then this should resolve the issue. More information here: https://www.regular-expressions.info/redos.html#Handling%20Regexes%20Provided%20by%20The%20User. I will drop this information on the other threads as I believe this is still a legitimate vulnerability in v 3.x as well
from loader-utils.
carnil
commented on May 19, 2024
#225 fixes this issue as well for the 2.0.x version?
from loader-utils.
alexander-akait
commented on May 19, 2024
Yes, backported to all versions (except 0.x)
from loader-utils.
Related Issues (20)
- loaderUtils.getOptions is not a function HOT 1
- Prettier show all files with error because of default HOT 3
- Missing getOptions.js in lib ? HOT 5
- CVE-2021-44906 HOT 4
- [CVE-2022-37601]/Prototype pollution found in parseQuery.js HOT 15
- [CVE-2022-37603]/ReDoS found in interpolateName.js HOT 9
- CVE-2022-37599 - security vulnerability across all loader-utils HOT 13
- Known regex vuln HOT 5
- Security Vulnerabilities issue HOT 42
- Fix vulnerability in v1 of loader-utils HOT 2
- contenthash vs hash? HOT 1
- Does this don't need translation? `\[`
- is 2.0.4 in the NPM registry? HOT 4
- Create types package for loader-utils@3 HOT 2
- Error while installing vue-style-loader which uses loader-utils HOT 1
- loader-utils stable version is 3.2.1 which has dependency on JSON5 2.2.1 which has Published Vulnerabilities CVE-2022-46175 (OSSINDEX) HOT 4
- Failed to resolve entry for package "crypto" HOT 1
- Create a Security Policy HOT 1
- CVE-2022-46175 - High HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from loader-utils.