Loader-utils, a utility package for webpack loaders, has seen some key updates between versions 1.4.2 and 2.0.0. Notably, the json5 dependency has been bumped from version ^1.0.1 to ^2.1.2. This upgrade brings in potential improvements and bug fixes from the json5 library, which could impact how loader-utils handles JSON5 files within your webpack build process. While both versions maintain big.js and emojis-list dependencies, the developer tooling has been significantly updated.
In version 2.0.0, the jest testing framework has been upgraded substantially from 21.2.1 to ^25.1.0, eslint from 5.11.0 to ^6.8.0, coveralls from 3.0.2 to ^3.0.9 and standard-version from 4.0.0 to ^7.1.0. These changes indicate a commitment to modern testing practices, code linting, and automated release management, which should result in a more stable and reliable library. Particularly interesting is the upgrade of eslint-plugin-node from ^8.0.0 to ^11.0.0, offering improved linting rules specific to Node.js environments.
Although version 2.0.0 was released a lot earlier than version 1.4.2, the important thing to note is that the newer version ships with an updated linter, potentially more secure dependencies through newer versions and it's using more modern practices like the standard-version package for automatic versioning and changelog generation. These updates collectively point to improved developer experience and code quality within loader-utils. Developers should evaluate their project's compatibility with the updated dependencies before upgrading.
All the vulnerabilities related to the version 2.0.0 of the package
Prototype pollution in webpack loader-utils
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils prior to version 2.0.3 via the name variable in parseQuery.js.
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
A regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils via the resourcePath variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.
