[Security Vulnerability] expo/webpack-config@^0.17.2 loader-utils 2.0.0 is deprecated

[Donhv]

Summary

Nexus iq server found Security Vulnerability GHSA-76p3-8jx3-jpfq.
We need migrate loader-utils to 3 version.
could you please give a suggestion a webpack version to fit it?

Environment

expo/webpack-config@^0.17.2

Please specify your device/emulator/simulator platform, model and version

web

Error output

No response

Reproducible demo or steps to reproduce from a blank project

expo/webpack-config@^0.17.2

[bobOnGitHub]

Looks like I have a related issue with dependencies and security issues in latest @expo/webpack-config:

[bob@wsa NetBeansProjects]$ npx create-expo-app test
✔ Downloaded and extracted project files.
✔ Installed JavaScript dependencies.

✅ Your project is ready!

To run your project, navigate to the directory and run one of the following npm commands.

- cd test
- npm run android
- npm run ios # you need to use macOS to build the iOS project - use the Expo app if you need to do iOS development without a Mac
- npm run web
[bob@wsa NetBeansProjects]$ cd test
[bob@wsa test]$ npx expo install react-dom react-native-web 
› Installing 2 SDK 47.0.0 compatible native modules using npm
> npm install

added 9 packages, and audited 1130 packages in 6s

52 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

[bob@wsa test]$ npx expo install @expo/webpack-config
› Installing 1 SDK 47.0.0 compatible native module using npm
> npm install
npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.

added 680 packages, and audited 1810 packages in 28s

126 packages are looking for funding
  run `npm fund` for details

23 vulnerabilities (2 moderate, 17 high, 4 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

[bob@wsa test]$ npm list --depth 0
test@1.0.0 /home/bob/NetBeansProjects/test
├── @babel/core@7.20.2
├── @expo/webpack-config@0.17.3
├── bindings@1.5.0 extraneous
├── expo-status-bar@1.4.2
├── expo@47.0.5
├── file-uri-to-path@1.0.0 extraneous
├── nan@2.17.0 extraneous
├── react-dom@18.1.0
├── react-native-web@0.18.10
├── react-native@0.70.5
└── react@18.1.0

[bob@wsa test]$ npm audit
# npm audit report

ansi-html  <0.0.8
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install @expo/webpack-config@0.16.19, which is a breaking change
node_modules/ansi-html
  webpack-dev-server  2.0.0-beta - 4.7.2
  Depends on vulnerable versions of ansi-html
  Depends on vulnerable versions of chokidar
  Depends on vulnerable versions of selfsigned
  node_modules/webpack-dev-server
    @expo/webpack-config  *
    Depends on vulnerable versions of optimize-css-assets-webpack-plugin
    Depends on vulnerable versions of react-dev-utils
    Depends on vulnerable versions of webpack-dev-server
    node_modules/@expo/webpack-config

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5
fix available via `npm audit fix --force`
Will install @expo/webpack-config@0.16.19, which is a breaking change
node_modules/react-dev-utils/node_modules/browserslist
  react-dev-utils  0.5.2 - 12.0.0-next.60
  Depends on vulnerable versions of browserslist
  Depends on vulnerable versions of immer
  Depends on vulnerable versions of loader-utils
  Depends on vulnerable versions of recursive-readdir
  Depends on vulnerable versions of shell-quote
  node_modules/react-dev-utils

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install @expo/webpack-config@0.16.19, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack

immer  <=9.0.5
Severity: critical
Prototype Pollution in immer - https://github.com/advisories/GHSA-33f9-j839-rf8h
Prototype Pollution in immer - https://github.com/advisories/GHSA-c36v-fmgq-m8hx
fix available via `npm audit fix --force`
Will install @expo/webpack-config@0.16.19, which is a breaking change
node_modules/immer

loader-utils  2.0.0 - 2.0.2
Severity: critical
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
fix available via `npm audit fix --force`
Will install @expo/webpack-config@0.16.19, which is a breaking change
node_modules/react-dev-utils/node_modules/loader-utils

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install @expo/webpack-config@0.16.19, which is a breaking change
node_modules/recursive-readdir/node_modules/minimatch
  recursive-readdir  1.2.0 - 2.2.2
  Depends on vulnerable versions of minimatch
  node_modules/recursive-readdir

node-forge  <=1.2.1
Severity: high
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
fix available via `npm audit fix --force`
Will install @expo/webpack-config@0.16.19, which is a breaking change
node_modules/selfsigned/node_modules/node-forge
  selfsigned  1.1.1 - 1.10.14
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install @expo/webpack-config@0.16.19, which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  <=4.0.8
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          cssnano  4.0.0-nightly.2020.1.9 - 4.1.11
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano
            optimize-css-assets-webpack-plugin  3.2.1 || 5.0.0 - 5.0.8
            Depends on vulnerable versions of cssnano
            node_modules/optimize-css-assets-webpack-plugin

shell-quote  <=1.7.2
Severity: critical
Improper Neutralization of Special Elements used in a Command in Shell-quote - https://github.com/advisories/GHSA-g4rg-993r-mgx7
fix available via `npm audit fix --force`
Will install @expo/webpack-config@0.16.19, which is a breaking change
node_modules/react-dev-utils/node_modules/shell-quote

23 vulnerabilities (2 moderate, 17 high, 4 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force
[bob@wsa test]$ 

Give it a go !

bob@wsa test]$ npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating @expo/webpack-config to 0.16.19, which is a SemVer major change.

added 20 packages, removed 141 packages, changed 3 packages, and audited 1686 packages in 5s

120 packages are looking for funding
  run `npm fund` for details

# npm audit report

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5
No fix available
node_modules/react-dev-utils/node_modules/browserslist
  react-dev-utils  0.5.2 - 12.0.0-next.60
  Depends on vulnerable versions of browserslist
  Depends on vulnerable versions of immer
  Depends on vulnerable versions of loader-utils
  Depends on vulnerable versions of recursive-readdir
  Depends on vulnerable versions of shell-quote
  node_modules/react-dev-utils
    @expo/webpack-config  *
    Depends on vulnerable versions of optimize-css-assets-webpack-plugin
    Depends on vulnerable versions of react-dev-utils
    node_modules/@expo/webpack-config

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix`
node_modules/watchpack-chokidar2/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack

immer  <=9.0.5
Severity: critical
Prototype Pollution in immer - https://github.com/advisories/GHSA-33f9-j839-rf8h
Prototype Pollution in immer - https://github.com/advisories/GHSA-c36v-fmgq-m8hx
No fix available
node_modules/immer

loader-utils  2.0.0 - 2.0.2
Severity: critical
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
No fix available
node_modules/react-dev-utils/node_modules/loader-utils

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
No fix available
node_modules/recursive-readdir/node_modules/minimatch
  recursive-readdir  1.2.0 - 2.2.2
  Depends on vulnerable versions of minimatch
  node_modules/recursive-readdir

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
No fix available
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  <=4.0.8
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          cssnano  4.0.0-nightly.2020.1.9 - 4.1.11
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano
            optimize-css-assets-webpack-plugin  3.2.1 || 5.0.0 - 5.0.8
            Depends on vulnerable versions of cssnano
            node_modules/optimize-css-assets-webpack-plugin

shell-quote  <=1.7.2
Severity: critical
Improper Neutralization of Special Elements used in a Command in Shell-quote - https://github.com/advisories/GHSA-g4rg-993r-mgx7
No fix available
node_modules/react-dev-utils/node_modules/shell-quote

19 vulnerabilities (1 moderate, 14 high, 4 critical)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

bob@wsa test]$ npm list --depth 0
test@1.0.0 /home/bob/NetBeansProjects/test
├── @babel/core@7.20.2
├── @expo/webpack-config@0.16.19
├── expo-status-bar@1.4.2
├── expo@47.0.5
├── react-dom@18.1.0
├── react-native-web@0.18.10
├── react-native@0.70.5
└── react@18.1.0

I'm looking at this and thinking..... will I spend days figuring out it isn't fixable ? and why is it downgrading webpack-config to fix the issues ?

Any ideas ? anyone ?

[bob@wsa test]$ npx expo-env-info

  expo-env-info 1.0.5 environment info:
    System:
      OS: Linux 4.18 AlmaLinux 8.6 (Sky Tiger)
      Shell: 4.4.20 - /bin/bash
    Binaries:
      Node: 16.18.0 - /usr/local/bin/node
      Yarn: 1.22.19 - /usr/local/bin/yarn
      npm: 8.19.2 - /usr/local/bin/npm
    npmPackages:
      @expo/webpack-config: ^0.16.19 => 0.16.19 
      expo: ~47.0.5 => 47.0.5 
      react: 18.1.0 => 18.1.0 
      react-dom: 18.1.0 => 18.1.0 
      react-native: 0.70.5 => 0.70.5 
      react-native-web: ~0.18.9 => 0.18.10 
    Expo Workflow: managed

[EvanBacon]

#3763