Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical vulnerability issue in dependency loader-utils version 1.2.3 #73

Closed
jruales opened this issue Nov 9, 2022 · 6 comments
Closed

Critical vulnerability issue in dependency loader-utils version 1.2.3 #73

jruales opened this issue Nov 9, 2022 · 6 comments

Comments

@jruales
Copy link

jruales commented Nov 9, 2022
edited

This library, typings-for-css-modules-loader, currently has a dependency on loader-utils version 1.2.3 specifically, which has a critical-severity vulnerability:

Please update the dependency to address this critical vulnerability that is being flagged in Dependabot alerts of projects that depend on typings-for-css-modules-loader
@jruales
Copy link
Author

jruales commented Nov 9, 2022

FYI @Obi-Dann @niklasmh @raphael-leger

@Ivan-Strahovsky
Copy link

Ivan-Strahovsky commented Nov 11, 2022
edited

Guys, please take a look at the PR #74 and make a new release.

Ivan-Strahovsky pushed a commit to Ivan-Strahovsky/typings-for-css-modules-loader that referenced this issue Nov 11, 2022
TeamSupercell#73 Update loader-utils library to the latest patch vers…
713a8f7 
…ion with the fix, don't want to upgrade to the latest available version as it two major versions up and I'm not in this repo code and can't guarantee I this update will be smooth.
@propkitty
Copy link

This seriously needs a fix as this is a critical issue. Please accept the fix and make a new release ASAP!

@bgever
Copy link

bgever commented Jan 18, 2023

As a temporary workaround, you can add this to package.json for NPM 8.3+, based on @Ivan-Strahovsky's PR #74.

"overrides": {
    "loader-utils": "^1.4.2"
}

@Obi-Dann
Copy link
Contributor

Merged, sorry for the wait. Going to prepare a release shortly

@snyk-bot snyk-bot mentioned this issue Jan 23, 2023
Closed
@MudulOzan
Copy link

@Obi-Dann if fixed can we close this issue?

@Obi-Dann Obi-Dann closed this as completed Jul 4, 2023
@patooworld patooworld mentioned this issue Dec 4, 2023
Closed
This was referenced Jan 5, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jruales @bgever @Obi-Dann @propkitty @MudulOzan @Ivan-Strahovsky