Update loader-utils to address security vulnerabilities #18
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The current version of
i18next-resource-store-loader
is using theloader-utils
version0.2.11
.This version has several security vulnerabilities.
webpack/loader-utils#214
https://nvd.nist.gov/vuln/detail/CVE-2022-37599
https://nvd.nist.gov/vuln/detail/CVE-2022-37601
https://nvd.nist.gov/vuln/detail/CVE-2022-37603
So using
i18next-resource-store-loader
in a project leads to several vulnerabilities being reported by third part vulnerability analyzers since it is linking to a vulnerable version of theloader-utils
library.Seems that this project is using
loader-utils
forparseQuery
function only, which has been removed from version 3.0 ofloader-utils
.Reference: https://github.com/webpack/loader-utils/blob/master/CHANGELOG.md
removed parseQuery in favor new URLSearchParams(loaderContext.resourceQuery.slice(1)) where loaderContext is this in loader function
As part of this PR, loader-utils library dependency has been removed and calls to
parseQuery
have been replaced withURLSearchParams
.Ran the unit tests which passed after the changes