Resolve-url-loader is a Webpack loader designed to simplify the management of relative paths within url() statements in your CSS, SCSS, or similar files. It ensures that these paths are resolved correctly, taking into account the original source file's location, which can be crucial when dealing with complex project structures or CSS preprocessors. Versions 2.0.2 and 2.0.3 share a common foundation, offering the same core functionality of accurately resolving relative URLs in your stylesheets. Both versions rely on a suite of dependencies, including adjust-sourcemap-loader for source map adjustments, camelcase for converting strings, convert-source-map for working with source maps, loader-utils for Webpack loader utilities, lodash.defaults for object manipulation, rework and rework-visit for CSS processing, source-map for source map generation, and urix for URI manipulation.
The key difference lies in the release date, with version 2.0.3 arriving on June 16, 2017, subsequent to version 2.0.2 released on March 3, 2017. While the dependency list remains identical, this newer release typically signifies bug fixes, performance improvements, or minor enhancements that contribute to a more robust and reliable development experience. Developers should consider upgrading to the latest minor or patch version (in this case, 2.0.3) to benefit from these potential improvements and maintain compatibility with other tools in their Webpack workflow.
All the vulnerabilities related to the version 2.0.3 of the package
Prototype Pollution in object-path
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The del() function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like toString on all objects.
Prototype pollution in object-path
A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable.
Upgrade to version >= 0.11.5
Don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.
Read more about the prototype pollution vulnerability
If you have any questions or comments about this advisory:
Prototype Pollution in object-path
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
