html-webpack-plugin v3.2.0 uses loader-utils v0.2.16 with CVE-2022-37601
hgwr opened this issue ยท 2 comments
Current behaviour ๐ฃ
html-webpack-plugin v3.2.0 uses loader-utils v0.2.16 with CVE-2022-37601 vulnerability.
https://github.com/jantimon/html-webpack-plugin/blob/v3.2.0/package.json#L50
@vue/cli-service v4.5.19 uses html-webpack-plugin v3.2.0 .
https://github.com/vuejs/vue-cli/blob/v4.5.19/yarn.lock#L10940
So, Dependabot is raising a warning on products using @vue/cli-service v4.5.19.
Expected behaviour โ๏ธ
It is expected that Dependabot will no longer warn about CVE-2022-37601.
If html-webpack-plugin had a 3.x branch, I could have made a pull request for it, but it does not. So I made a pull request in the repository I forked.
Please use the above pull request if you like. And please release v3.2.1 of html-webpack-plugin that uses loader-utils v1.4.2, which is no longer vulnerable.
Reproduction Example ๐พ
see https://github.com/jantimon/html-webpack-plugin/blob/v3.2.0/package.json#L50
"loader-utils": "^0.2.16",
Environment ๐ฅ
$ node -e "var os=require('os');console.log('Node.js ' + process.version + '\n' + os.platform() + ' ' + os.release())"
Node.js v14.18.2
darwin 21.6.0
$ npm --version
6.14.15
$ npm ls webpack
โ @vue/cli-plugin-babel@4.3.1
โ โ webpack@4.46.0 deduped
โ @vue/cli-plugin-eslint@4.3.1
โ โ webpack@4.46.0 deduped
โ @vue/cli-plugin-pwa@4.3.1
โ โ webpack@4.46.0 deduped
โ @vue/cli-plugin-typescript@4.3.1
โ โ webpack@4.46.0 deduped
โ @vue/cli-service@4.5.19
โ โ webpack@4.46.0 deduped
โ webpack@4.46.0
$ npm ls html-webpack-plugin
โ @vue/cli-service@4.5.19
โ html-webpack-plugin@3.2.0
Also html-webpack-plugin@4.5.0 has a dependency on loader-utils@^1.2.3.
This introduces a transative dependency on JSON5, allowing Prototype Pollution in JSON5 via Parse Method.
GHSA-9c47-m6qq-7p4h
Please update html-webpack-plugin
to the latest version, this version is deprecated and no loger gets updates, sorry, feel free to feedback