babel-loader icon indicating copy to clipboard operation
babel-loader copied to clipboard

Published 20 hours ago • verified publisher icon babel

Remove dependency on loader-utils

Open nied opened this issue 2 years ago • 1 comments

Please Read the CONTRIBUTING Guidelines In particular the portion on Commit Message Formatting

Please check if the PR fulfills these requirements

  • [x] Tests for the changes have been added (for bug fixes / features)
  • [ ] Docs have been added / updated (for bug fixes / features)

What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)

  • [ ] Bugfix
  • [ ] Feature
  • [ ] Code style update (formatting, local variables)
  • [ ] Refactoring (no functional changes, no api changes)
  • [ ] Build related changes
  • [ ] CI related changes
  • [x] Security

What is the current behavior? Currently, babel-loader depends on loader-utils which in turn depends on [email protected] which in turn depends on [email protected]. Minimist of this version is vulnerable to https://github.com/advisories/GHSA-xvch-5gv4-984h. I started working on updating loader-utils to a new version, but as far as I can tell it's not really needed, as getOptions was removed in 3.0.0 and we can safely use loaderContext.getOptions instead.

What is the new behavior? The only change in behaviour I'm aware of is that passing options as query parameters is no longer possible. This is explained in further detail at https://github.com/webpack/loader-utils/releases/tag/v3.0.0 - but since the usage of query parameters seems to be frowned upon I figured it was an ok trade-off.

Does this PR introduce a breaking change?

  • [x] Yes
  • [ ] No

If this PR contains a breaking change, please describe the following...

  • Impact: Options can no longer be passed as query string parameters
  • Migration path for existing applications: move to use the options-object in the configuration instead. Examples of this migration can be found in the changes I made in the tests.
  • Github Issue(s) this is regarding:

Other information: This is my first contribution to babel-loader and fair warning: I don't 100% know what I'm doing in this code base so I'm happy to make any changes if that's needed.

nied avatar May 04 '22 12:05 nied

@JLHwung Do you need anything more from me to move this forward?

nied avatar May 09 '22 08:05 nied

Thanks for doing this @nied . Really appreciate on removing this vulnerability !!

Shivam60 avatar Oct 20 '22 17:10 Shivam60