V3 maintenance: loosen constraints on loader-utils dependency
#229
Conversation
|
@orien this is to maintain 2 major versions previous. Generally I go to a lot of effort to make sure the new versions are backwards compatible so people can upgrade without too much trouble. So before looking to do that can you please give reasons why you cannot use v4 or v5? |
|
Hi @bholloway, thanks for considering this. I have a gatsby.js app which is making use of the gatsby-plugin-sass plugin. This plugn has a dependency on The plugin has ~100K weekly downloads, so I imagine there many people in a similar situation to me. |
|
Okay not promising anything but let me fix the latest release and work backwards. In the mean time I'd suggest putting in an override to get |
|
FYI: There are security patches available for loader-utils version 1 (1.4.2). I expect jumping to this version is less work on this old branch. |
|
Perhaps this will help with the maintenance burden #230. |
|
I don't think there's any need to fix version V4 and V5. See #227 (comment). V3 is does have a hard dependency on a vulnerable library though. |
Any major version 1, after 1.2.3 should work. There are multiple CVEs against version 1.2.3. We should allow upgrading to a version that includes security patches. * CVE-2022-37599 - https://nvd.nist.gov/vuln/detail/CVE-2022-37599 * CVE-2022-37601 - https://nvd.nist.gov/vuln/detail/CVE-2022-37601 * CVE-2022-37603 - https://nvd.nist.gov/vuln/detail/CVE-2022-37603
|
IIRC it should retrigger CI to close and reopen, will try it |
|
Published 3.1.5 |
|
Thanks very much @bholloway. I appreciate it 🙇 |
Context
resolve-url-loaderversion 3 has a dependency onloader-utilsversion 1.2.3. There are multiple CVEs againstloader-utilsversion 1.2.3. It'd be awesome allow upgrading to a version that includes security patches!Change
Loosen the constraints on the version of
loader-utilsto any major version 1, 1.2.3 or above.This should maintain compatibility.