vuepress icon indicating copy to clipboard operation
vuepress copied to clipboard

Published 20 hours ago verified publisher icon vuejs

the vuepress-html-webpack-plugin lib dependency

Open richecr opened this issue 2 years ago • 0 comments

  • [X] I confirm that this is an issue rather than a question.

Bug report

The vuepress 1.9.10 version still uses the vuepress-html-webpack-plugin v3.2.0 lib and from what I researched I couldn't find the code and it's also no longer receiving maintenance. But this lib uses loader-utils v0.2.16 which has a high vulnerability and it is not possible to update itself because of this vuepress-html-webpack-plugin dependency.

I saw that we already had an issue about this lib: https://github.com/vuejs/vuepress/issues/1303 and https://github.com/vuejs/vuepress/issues/698

Steps to reproduce

  1. I created a vuepress project in version 1.9.10
  2. Run npm audit
  3. Note the loader-utils vulnerability

What is expected?

Stop using the lib and migrate to html-webpack-plugin.

What is actually happening?

Package was published and has never been updated since 2018.

richecr avatar Sep 06 '23 12:09 richecr