Resolve-url-loader is a webpack loader designed to accurately resolve relative paths within url() statements in CSS and related files, ensuring correct asset referencing after webpack processes your stylesheets. Comparing version 3.0.0 with the previous stable version 2.3.2, several key differences emerge impacting developers.
Version 3.0.0 introduces new dependencies: compose-function and postcss, suggesting improvements or changes in how the loader handles CSS transformations and composition. This version also deprecates the dependency to urix and adds es6-iterator. Crucially, the introduction of postcss signifies a shift toward a more robust and modern CSS processing pipeline, offering potentially better compatibility with advanced CSS features and preprocessors. These changes can be important for developers, as version 3 might affect backward compatibility with legacy projects.
The file count within the distributed package has increased from 6 to 14, and the unpacked size grows significantly, indicating expanded functionality or more comprehensive processing capabilities within the loader. This also suggest potentially better source map handling, crucial for debugging in development environments.
The most important thing is that the newer 3.0.0 version may introduce breaking changes related to the postprocessing of the CSS files. Developers considering an upgrade should carefully review the changes to the loader's behavior and consider migration strategies to adapt to any updates in processing logic or configuration requirements.
All the vulnerabilities related to the version 3.0.0 of the package
Prototype Pollution in object-path
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The del() function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like toString on all objects.
Prototype pollution in object-path
A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable.
Upgrade to version >= 0.11.5
Don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.
Read more about the prototype pollution vulnerability
If you have any questions or comments about this advisory:
Prototype Pollution in object-path
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
