Resolve-url-loader is a Webpack loader designed to simplify handling relative paths within url() statements in CSS and similar files. It ensures that paths are resolved correctly relative to the original source file, preventing issues when these files are processed or moved during the build process. Comparing version 2.3.0 with its predecessor, 2.2.1, reveals a few key updates relevant for developers.
One notable change is in the dependency versions. Version 2.3.0 updates camelcase to ^4.1.0, convert-source-map to ^1.5.1, loader-utils to ^1.1.0, and source-map to ^0.5.7. These updates likely include bug fixes, performance improvements, and potentially new features within those dependent packages. Notably, source-map update is relevant to correctly debug the code.
Furthermore, version 2.3.0 includes a fileCount and unpackedSize property in the dist object, providing insights into the package's size and structure. This addition, while seemingly minor, may be useful for developers concerned about build times and bundle sizes. Developers upgrading from 2.2.1 to 2.3.0 should review the changelogs for camelcase, convert-source-map, loader-utils, and source-map to fully understand the implications of these dependency updates. Overall, version 2.3.0 appears to be a relatively minor update focused on dependency maintenance and potentially improved stability.
All the vulnerabilities related to the version 2.3.0 of the package
Prototype Pollution in object-path
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The del() function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like toString on all objects.
Prototype pollution in object-path
A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable.
Upgrade to version >= 0.11.5
Don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.
Read more about the prototype pollution vulnerability
If you have any questions or comments about this advisory:
Prototype Pollution in object-path
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
