react-refresh-webpack-plugin icon indicating copy to clipboard operation
react-refresh-webpack-plugin copied to clipboard
verified publisher icon pmmmwh

Drop loader-utils dep

Open LukeCarrier opened this issue 1 year ago • 1 comments

Instead of require("loader-utils").getOptions(LoaderContext) we should be good with LoaderContext.getOptions(), where LoaderContext is bound to this.

This lets us drop the loader-utils dep, which until 3.2.1 contains a ReDoS vulnerability (CVE-2022-37603).

Note since it is still a transitive dependency (via webpack-v4 and babel-loader), it will still be necessary to add a resolution for it.

LukeCarrier avatar Aug 16 '24 10:08 LukeCarrier

Review or Edit in CodeSandbox

Open the branch in Web EditorVS CodeInsiders
Open Preview

codesandbox[bot] avatar Aug 16 '24 10:08 codesandbox[bot]

Hi - unfortunately we cannot do this right now as we support Webpack v4. This will be resolved in #851.

pmmmwh avatar Mar 10 '25 10:03 pmmmwh