Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

US582211 Update loader-utils version to 2.0.3 #72

Merged
merged 3 commits into from Nov 8, 2022
Merged

US582211 Update loader-utils version to 2.0.3 #72

merged 3 commits into from Nov 8, 2022

Conversation

vishalkumar-barnwal
Copy link
Collaborator

@buildmachine-sou-jenkins2
Copy link
Contributor

CI Build Link:
https://jenkins.swinfra.net/job/SEPG/job/MicroFocus/job/MicroFocus~microfocus.github.io~US582211-loader-utils-2.0.3~CI

@vishalkumar-barnwal vishalkumar-barnwal changed the title Update loader-utils version to 2.0.3 US582211 Update loader-utils version to 2.0.3 Nov 7, 2022
@buildmachine-sou-jenkins2
Copy link
Contributor

The Documentation QA site for this branch has been built:
https://pages.github.houston.softwaregrp.net/sepg-docs-qa/MicroFocus_CI_microfocus.github.io_US582211-loader-utils-2.0.3

@vishalkumar-barnwal vishalkumar-barnwal requested review from andyreidz and removed request for andyreidz November 7, 2022 13:45
@vishalkumar-barnwal
Copy link
Collaborator Author

vishalkumar-barnwal commented Nov 8, 2022
edited

@andyreidz the dependabot alert has been withdrawn, it's no longer available. Do we still need this change in the version of loader-utils?

BTW the vulnerability details are here.

@andyreidz
Copy link
Collaborator

@vishalkumar-barnwal Can you research why alerts get withdrawn, in the general sense.
Also, have other opensource project experienced the same issue?

@vishalkumar-barnwal
Copy link
Collaborator Author

vishalkumar-barnwal commented Nov 8, 2022
edited

@andyreidz, CVE-2022-37601 is actually based on the issue. Dependabot suggestion was to upgrade loader-utils version to 2.0.3 or above but few hours back only issue fixed for v1.4.1 also because of these reasons. Suggested advisory also updated. This could be a reason that the old alert has been withdrawn.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-37601
webpack/loader-utils#212
https://github.com/webpack/loader-utils/releases/tag/v2.0.3
https://github.com/webpack/loader-utils/releases/tag/v1.4.1
GHSA-76p3-8jx3-jpfq

@vishalkumar-barnwal vishalkumar-barnwal merged commit 844068d into develop Nov 8, 2022
@vishalkumar-barnwal vishalkumar-barnwal deleted the US582211-loader-utils-2.0.3 branch November 8, 2022 14:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andyreidz andyreidz andyreidz approved these changes

Assignees
No one assigned
Labels
delete-build-on-pr-close
Projects
None yet
Milestone
No milestone
3 participants
@vishalkumar-barnwal @buildmachine-sou-jenkins2 @andyreidz