html-webpack-plugin v3.2.0 uses loader-utils v0.2.16 with CVE-2022-37601

[hgwr]

Current behaviour 💣

html-webpack-plugin v3.2.0 uses loader-utils v0.2.16 with CVE-2022-37601 vulnerability.

https://github.com/jantimon/html-webpack-plugin/blob/v3.2.0/package.json#L50

@vue/cli-service v4.5.19 uses html-webpack-plugin v3.2.0 .

https://github.com/vuejs/vue-cli/blob/v4.5.19/yarn.lock#L10940

So, Dependabot is raising a warning on products using @vue/cli-service v4.5.19.

Expected behaviour ☀️

It is expected that Dependabot will no longer warn about CVE-2022-37601.

If html-webpack-plugin had a 3.x branch, I could have made a pull request for it, but it does not. So I made a pull request in the repository I forked.

hgwr#1

Please use the above pull request if you like. And please release v3.2.1 of html-webpack-plugin that uses loader-utils v1.4.2, which is no longer vulnerable.

Reproduction Example 👾

see https://github.com/jantimon/html-webpack-plugin/blob/v3.2.0/package.json#L50

"loader-utils": "^0.2.16",

Environment 🖥

$ node -e "var os=require('os');console.log('Node.js ' + process.version + '\n' + os.platform() + ' ' + os.release())"
Node.js v14.18.2
darwin 21.6.0
$ npm --version
6.14.15
$ npm ls webpack
├  @vue/cli-plugin-babel@4.3.1
│ └ webpack@4.46.0  deduped
├  @vue/cli-plugin-eslint@4.3.1
│ └ webpack@4.46.0  deduped
├  @vue/cli-plugin-pwa@4.3.1
│ └ webpack@4.46.0  deduped
├  @vue/cli-plugin-typescript@4.3.1
│ └ webpack@4.46.0  deduped
├  @vue/cli-service@4.5.19
│ └ webpack@4.46.0  deduped
└  webpack@4.46.0
$ npm ls html-webpack-plugin
└  @vue/cli-service@4.5.19
  └  html-webpack-plugin@3.2.0

[LaurensUP]

Also html-webpack-plugin@4.5.0 has a dependency on loader-utils@^1.2.3.
This introduces a transative dependency on JSON5, allowing Prototype Pollution in JSON5 via Parse Method.
GHSA-9c47-m6qq-7p4h

[alexander-akait]

Please update html-webpack-plugin to the latest version, this version is deprecated and no loger gets updates, sorry, feel free to feedback