Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove dependency on loader-utils and drop webpack 4 support #942

Merged
merged 4 commits into from Oct 26, 2022

Conversation

nied
Copy link
Contributor

@nied nied commented May 4, 2022

Please Read the CONTRIBUTING Guidelines
In particular the portion on Commit Message Formatting

Please check if the PR fulfills these requirements

  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)

What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Security

What is the current behavior?
Currently, babel-loader depends on loader-utils which in turn depends on json5@2.2.0 which in turn depends on minimist@1.2.5. Minimist of this version is vulnerable to GHSA-xvch-5gv4-984h. I started working on updating loader-utils to a new version, but as far as I can tell it's not really needed, as getOptions was removed in 3.0.0 and we can safely use loaderContext.getOptions instead.

What is the new behavior?
The only change in behaviour I'm aware of is that passing options as query parameters is no longer possible. This is explained in further detail at https://github.com/webpack/loader-utils/releases/tag/v3.0.0 - but since the usage of query parameters seems to be frowned upon I figured it was an ok trade-off.

Does this PR introduce a breaking change?

  • Yes
  • No

If this PR contains a breaking change, please describe the following...

  • Impact: Options can no longer be passed as query string parameters

  • Migration path for existing applications: move to use the options-object in the configuration instead. Examples of this migration can be found in the changes I made in the tests.

  • Github Issue(s) this is regarding:

  • Impact: Dropped webpack 4 support

  • Migration path for existing applications: Upgrade webpack to 5 or keep using babel-loader@8.

Other information:
This is my first contribution to babel-loader and fair warning: I don't 100% know what I'm doing in this code base so I'm happy to make any changes if that's needed.

Fixes #954

@@ -156,41 +156,6 @@ test.serial.cb(
},
);

test.serial.cb(
"should output files to standard cache dir if set to true in query",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a test on cache behaviour. Can you adapt the query string to options so we don't have to remove this test?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whoops, sorry about that! Fixed in b9cc145.

@nied
Copy link
Contributor Author

nied commented May 9, 2022

@JLHwung Do you need anything more from me to move this forward?

@Shivam60
Copy link

Thanks for doing this @nied . Really appreciate on removing this vulnerability !!

@@ -55,8 +54,7 @@ function makeLoader(callback) {
async function loader(source, inputSourceMap, overrides) {
const filename = this.resourcePath;

let loaderOptions = loaderUtils.getOptions(this);

let loaderOptions = this.getOptions();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://webpack.js.org/api/loaders/#thisgetoptionsschema loadContext#getOptions is available only in webpack 5+, we have to drop webpack 4 support, too.

@JLHwung JLHwung changed the title Remove dependency on loader-utils Remove dependency on loader-utils and drop webpack 4 support Oct 23, 2022
@nicolo-ribaudo nicolo-ribaudo merged commit 9a2451f into babel:main Oct 26, 2022
ivarconr pushed a commit to Unleash/unleash that referenced this pull request Nov 9, 2022
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [babel-loader](https://togithub.com/babel/babel-loader) | [`8.2.5` ->
`9.1.0`](https://renovatebot.com/diffs/npm/babel-loader/8.2.5/9.1.0) |
[![age](https://badges.renovateapi.com/packages/npm/babel-loader/9.1.0/age-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://badges.renovateapi.com/packages/npm/babel-loader/9.1.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://badges.renovateapi.com/packages/npm/babel-loader/9.1.0/compatibility-slim/8.2.5)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://badges.renovateapi.com/packages/npm/babel-loader/9.1.0/confidence-slim/8.2.5)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>babel/babel-loader</summary>

###
[`v9.1.0`](https://togithub.com/babel/babel-loader/releases/tag/v9.1.0)

[Compare
Source](https://togithub.com/babel/babel-loader/compare/v9.0.1...v9.1.0)

#### New features

- Pass external dependencies from Babel to Webpack by
[@&#8203;nicolo-ribaudo](https://togithub.com/nicolo-ribaudo) in
[babel/babel-loader#971

**Full Changelog**:
babel/babel-loader@v9.0.1...v9.1.0

###
[`v9.0.1`](https://togithub.com/babel/babel-loader/releases/tag/v9.0.1)

[Compare
Source](https://togithub.com/babel/babel-loader/compare/v9.0.0...v9.0.1)

##### Bug Fixes

- remove "node:" builtin prefix by
[@&#8203;JLHwung](https://togithub.com/JLHwung) in
[babel/babel-loader#970

**Full Changelog**:
babel/babel-loader@v9.0.0...v9.0.1

###
[`v9.0.0`](https://togithub.com/babel/babel-loader/releases/tag/v9.0.0)

[Compare
Source](https://togithub.com/babel/babel-loader/compare/v8.3.0...v9.0.0)

#### What's Changed

- update hash method mechanism so it doesn't fail on a fips enabled
machine by [@&#8203;darmbrust](https://togithub.com/darmbrust) in
[babel/babel-loader#939
- Require babel ^7.12.0 and Node.js >= 14.15.0 versions by
[@&#8203;JLHwung](https://togithub.com/JLHwung) in
[babel/babel-loader#956
- Remove dependency on loader-utils and drop webpack 4 support by
[@&#8203;nied](https://togithub.com/nied) in
[babel/babel-loader#942

#### New Contributors

- [@&#8203;darmbrust](https://togithub.com/darmbrust) made their first
contribution in
[babel/babel-loader#939
- [@&#8203;nied](https://togithub.com/nied) made their first
contribution in
[babel/babel-loader#942

**Full Changelog**:
babel/babel-loader@v8.2.5...v9.0.0

###
[`v8.3.0`](https://togithub.com/babel/babel-loader/releases/tag/v8.3.0)

[Compare
Source](https://togithub.com/babel/babel-loader/compare/v8.2.5...v8.3.0)

#### New features

- Pass external dependencies from Babel to Webpack by
[@&#8203;nicolo-ribaudo](https://togithub.com/nicolo-ribaudo) in
[babel/babel-loader#971

**Full Changelog**:
babel/babel-loader@v8.2.5...v8.3.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/Unleash/unleash).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC42LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNC4xNy4xIn0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
kodiakhq bot added a commit to weareinreach/InReach that referenced this pull request Nov 10, 2022
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [babel-loader](https://togithub.com/babel/babel-loader) | [`8.3.0` -> `9.1.0`](https://renovatebot.com/diffs/npm/babel-loader/8.3.0/9.1.0) | [![age](https://badges.renovateapi.com/packages/npm/babel-loader/9.1.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/babel-loader/9.1.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/babel-loader/9.1.0/compatibility-slim/8.3.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/babel-loader/9.1.0/confidence-slim/8.3.0)](https://docs.renovatebot.com/merge-confidence/) |

---

### Release Notes

<details>
<summary>babel/babel-loader</summary>

### [`v9.1.0`](https://togithub.com/babel/babel-loader/releases/tag/v9.1.0)

[Compare Source](https://togithub.com/babel/babel-loader/compare/v9.0.1...v9.1.0)

#### New features

-   Pass external dependencies from Babel to Webpack by [@&#8203;nicolo-ribaudo](https://togithub.com/nicolo-ribaudo) in [babel/babel-loader#971

**Full Changelog**: babel/babel-loader@v9.0.1...v9.1.0

### [`v9.0.1`](https://togithub.com/babel/babel-loader/releases/tag/v9.0.1)

[Compare Source](https://togithub.com/babel/babel-loader/compare/v9.0.0...v9.0.1)

#### Bug Fixes

-   remove "node:" builtin prefix by [@&#8203;JLHwung](https://togithub.com/JLHwung) in [babel/babel-loader#970

**Full Changelog**: babel/babel-loader@v9.0.0...v9.0.1

### [`v9.0.0`](https://togithub.com/babel/babel-loader/releases/tag/v9.0.0)

[Compare Source](https://togithub.com/babel/babel-loader/compare/v8.3.0...v9.0.0)

#### What's Changed

-   update hash method mechanism so it doesn't fail on a fips enabled machine by [@&#8203;darmbrust](https://togithub.com/darmbrust) in [babel/babel-loader#939
-   Require babel ^7.12.0 and Node.js >= 14.15.0 versions by [@&#8203;JLHwung](https://togithub.com/JLHwung) in [babel/babel-loader#956
-   Remove dependency on loader-utils and drop webpack 4 support by [@&#8203;nied](https://togithub.com/nied) in [babel/babel-loader#942

#### New Contributors

-   [@&#8203;darmbrust](https://togithub.com/darmbrust) made their first contribution in [babel/babel-loader#939
-   [@&#8203;nied](https://togithub.com/nied) made their first contribution in [babel/babel-loader#942

**Full Changelog**: babel/babel-loader@v8.2.5...v9.0.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/weareinreach/InReach).



PR-URL: #41
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
JoeKarow pushed a commit to weareinreach/InReach that referenced this pull request Dec 3, 2022
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [babel-loader](https://togithub.com/babel/babel-loader) | [`8.3.0` -> `9.1.0`](https://renovatebot.com/diffs/npm/babel-loader/8.3.0/9.1.0) | [![age](https://badges.renovateapi.com/packages/npm/babel-loader/9.1.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/babel-loader/9.1.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/babel-loader/9.1.0/compatibility-slim/8.3.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/babel-loader/9.1.0/confidence-slim/8.3.0)](https://docs.renovatebot.com/merge-confidence/) |

---

### Release Notes

<details>
<summary>babel/babel-loader</summary>

### [`v9.1.0`](https://togithub.com/babel/babel-loader/releases/tag/v9.1.0)

[Compare Source](https://togithub.com/babel/babel-loader/compare/v9.0.1...v9.1.0)

#### New features

-   Pass external dependencies from Babel to Webpack by [@&#8203;nicolo-ribaudo](https://togithub.com/nicolo-ribaudo) in [babel/babel-loader#971

**Full Changelog**: babel/babel-loader@v9.0.1...v9.1.0

### [`v9.0.1`](https://togithub.com/babel/babel-loader/releases/tag/v9.0.1)

[Compare Source](https://togithub.com/babel/babel-loader/compare/v9.0.0...v9.0.1)

#### Bug Fixes

-   remove "node:" builtin prefix by [@&#8203;JLHwung](https://togithub.com/JLHwung) in [babel/babel-loader#970

**Full Changelog**: babel/babel-loader@v9.0.0...v9.0.1

### [`v9.0.0`](https://togithub.com/babel/babel-loader/releases/tag/v9.0.0)

[Compare Source](https://togithub.com/babel/babel-loader/compare/v8.3.0...v9.0.0)

#### What's Changed

-   update hash method mechanism so it doesn't fail on a fips enabled machine by [@&#8203;darmbrust](https://togithub.com/darmbrust) in [babel/babel-loader#939
-   Require babel ^7.12.0 and Node.js >= 14.15.0 versions by [@&#8203;JLHwung](https://togithub.com/JLHwung) in [babel/babel-loader#956
-   Remove dependency on loader-utils and drop webpack 4 support by [@&#8203;nied](https://togithub.com/nied) in [babel/babel-loader#942

#### New Contributors

-   [@&#8203;darmbrust](https://togithub.com/darmbrust) made their first contribution in [babel/babel-loader#939
-   [@&#8203;nied](https://togithub.com/nied) made their first contribution in [babel/babel-loader#942

**Full Changelog**: babel/babel-loader@v8.2.5...v9.0.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/weareinreach/InReach).



PR-URL: #41
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
benelan pushed a commit to Esri/calcite-design-system that referenced this pull request Dec 27, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [babel-loader](https://togithub.com/babel/babel-loader) | [`8.3.0` ->
`9.1.3`](https://renovatebot.com/diffs/npm/babel-loader/8.3.0/9.1.3) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/babel-loader/9.1.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/babel-loader/9.1.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/babel-loader/8.3.0/9.1.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/babel-loader/8.3.0/9.1.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>babel/babel-loader (babel-loader)</summary>

###
[`v9.1.3`](https://togithub.com/babel/babel-loader/releases/tag/v9.1.3)

[Compare
Source](https://togithub.com/babel/babel-loader/compare/v9.1.2...v9.1.3)

#### Security dependency updates

- Bump http-cache-semantics from 4.1.0 to 4.1.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[babel/babel-loader#982
- Bump semver from 7.3.2 to 7.5.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[babel/babel-loader#993
- bump find-cache-dir to v4 by
[@&#8203;JLHwung](https://togithub.com/JLHwung) in
[babel/babel-loader#995

#### New Contributors

- [@&#8203;piwysocki](https://togithub.com/piwysocki) made their first
contribution in
[babel/babel-loader#981
- [@&#8203;comoser](https://togithub.com/comoser) made their first
contribution in
[babel/babel-loader#897

**Full Changelog**:
babel/babel-loader@v9.1.2...v9.1.3

###
[`v9.1.2`](https://togithub.com/babel/babel-loader/releases/tag/v9.1.2)

[Compare
Source](https://togithub.com/babel/babel-loader/compare/v9.1.1...v9.1.2)

9.1.1 was a broken release, it didn't include all the commits.

#### Dependencies updates

- Bump qs from 6.5.2 to 6.5.3 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[babel/babel-loader#977
- Bump json5 from 2.2.1 to 2.2.3 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[babel/babel-loader#980

#### Misc

- GitHub Workflows security hardening by
[@&#8203;sashashura](https://togithub.com/sashashura) in
[babel/babel-loader#976

#### New Contributors

- [@&#8203;sashashura](https://togithub.com/sashashura) made their first
contribution in
[babel/babel-loader#976

**Full Changelog**:
babel/babel-loader@v9.1.0...v9.1.2

###
[`v9.1.1`](https://togithub.com/babel/babel-loader/compare/v9.1.0...v9.1.1)

[Compare
Source](https://togithub.com/babel/babel-loader/compare/v9.1.0...v9.1.1)

###
[`v9.1.0`](https://togithub.com/babel/babel-loader/releases/tag/v9.1.0)

[Compare
Source](https://togithub.com/babel/babel-loader/compare/v9.0.1...v9.1.0)

#### New features

- Pass external dependencies from Babel to Webpack by
[@&#8203;nicolo-ribaudo](https://togithub.com/nicolo-ribaudo) in
[babel/babel-loader#971

**Full Changelog**:
babel/babel-loader@v9.0.1...v9.1.0

###
[`v9.0.1`](https://togithub.com/babel/babel-loader/releases/tag/v9.0.1)

[Compare
Source](https://togithub.com/babel/babel-loader/compare/v9.0.0...v9.0.1)

#### Bug Fixes

- remove "node:" builtin prefix by
[@&#8203;JLHwung](https://togithub.com/JLHwung) in
[babel/babel-loader#970

**Full Changelog**:
babel/babel-loader@v9.0.0...v9.0.1

###
[`v9.0.0`](https://togithub.com/babel/babel-loader/releases/tag/v9.0.0)

[Compare
Source](https://togithub.com/babel/babel-loader/compare/v8.3.0...v9.0.0)

#### What's Changed

- update hash method mechanism so it doesn't fail on a fips enabled
machine by [@&#8203;darmbrust](https://togithub.com/darmbrust) in
[babel/babel-loader#939
- Require babel ^7.12.0 and Node.js >= 14.15.0 versions by
[@&#8203;JLHwung](https://togithub.com/JLHwung) in
[babel/babel-loader#956
- Remove dependency on loader-utils and drop webpack 4 support by
[@&#8203;nied](https://togithub.com/nied) in
[babel/babel-loader#942

#### New Contributors

- [@&#8203;darmbrust](https://togithub.com/darmbrust) made their first
contribution in
[babel/babel-loader#939
- [@&#8203;nied](https://togithub.com/nied) made their first
contribution in
[babel/babel-loader#942

**Full Changelog**:
babel/babel-loader@v8.2.5...v9.0.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 5am every weekday" in timezone
America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/Esri/calcite-design-system).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEwMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

loader-utils dependency v2 is vulnerable and should be updated to v3: CVE-2022-37599
5 participants