-
Notifications
You must be signed in to change notification settings - Fork 27.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability in loader-utils version #11323
Comments
Duplicate of #11149 Specifically read: |
Oh cool, so there was one already, searched for it but didn't find it, sorry about that. |
Opened #11324 to upgrade loader-utils although it's not needed to upgrade |
@timneutkens just for my sanity could you explain how the loader-utils pr fixes the vulnerability |
Those are different. Both have been updated, check See #11149 |
This issue has been automatically locked due to no recent activity. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you. |
Bug report
Vulnerability of in dependency tree: minimist, dependency of loader-utils
Describe the bug
Nextjs has a dependency on loader-utils, currently using version 1.2.3.
In this version of loader-utils, there is a dependency on json5, which had a dependency on minimist in a version that has a vulnarability.
Loader-utils package fixed that dependency here:
webpack/loader-utils@c78786d#diff-b9cfc7f2cdf78a7f4b91a753d10865a2
Loader-utils has updated their dependency to minimist in 2.x. Hope it will be possible to upgrade to the new version?
The vulnarability is described here:
https://nvd.nist.gov/vuln/detail/CVE-2020-7598#vulnCurrentDescriptionTitle
https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
To Reproduce
First of all the issue was found using Anchore cli
After that the cause of this particular dependency was found by:
yarn why minimist
result:
System information
The text was updated successfully, but these errors were encountered: