Vulnerability in loader-utils version

[StephanTransavia]

Bug report

Vulnerability of in dependency tree: minimist, dependency of loader-utils

Describe the bug

Nextjs has a dependency on loader-utils, currently using version 1.2.3.
In this version of loader-utils, there is a dependency on json5, which had a dependency on minimist in a version that has a vulnarability.
Loader-utils package fixed that dependency here:
webpack/loader-utils@c78786d#diff-b9cfc7f2cdf78a7f4b91a753d10865a2

Loader-utils has updated their dependency to minimist in 2.x. Hope it will be possible to upgrade to the new version?

The vulnarability is described here:
https://nvd.nist.gov/vuln/detail/CVE-2020-7598#vulnCurrentDescriptionTitle
https://snyk.io/vuln/SNYK-JS-MINIMIST-559764

To Reproduce

First of all the issue was found using Anchore cli
After that the cause of this particular dependency was found by:

1. using nextjs 9.3.0
2. yarn why minimist

result:

   - Hoisted from "next#loader-utils#json5#minimist"

System information

• OS: docker container node:lts-alpine
• Version of Next.js: 9.3.0

[timneutkens]

Duplicate of #11149

Specifically read:
#11149 (comment)

[StephanTransavia]

Oh cool, so there was one already, searched for it but didn't find it, sorry about that.

[timneutkens]

Opened #11324 to upgrade loader-utils although it's not needed to upgrade

[thatguyjono94]

@timneutkens just for my sanity could you explain how the loader-utils pr fixes the vulnerability
in npm audit? The path for the vulnerability in my case is next > mkdirp > minimist and next > webpack > mkdirp > minimist. It doesn't say anything about loader-utils. I'm just curious because the pr does remove the warnings.

[timneutkens]

Those are different. Both have been updated, check next@canary.

See #11149

[balazsorban44]

This issue has been automatically locked due to no recent activity. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you.