Loader-utils security vulnerability (app plaform)

Got an email from github today about a vulnerability in the loader-utils package on a DHIS2 app platform project and it seems this is an internal dependancy of the app platform. What action would you advise I take? Perhaps just updating to the latest version will resolve the issue.

1 Like

Thank you for your post @plinnegan! I’m reposting this to @dhis2-security and someone from the security team will have a look.

@plinnegan thanks for posting!

The vulnerabilities in loader-utils are of the types prototype pollution and denial of service. Since we only use loader-utils through our dependency on webpack at build-time, the vulnerable library shouldn’t be ever exposed to untrusted input and therefore this shouldn’t be a legitimate security concern.

We will bump the version in app-platform once webpack fixes this. In the meantime you might be able to selectively upgrade the version of loader-utils in your application lockfile, but I don’t believe this should be critical for the reason described above.


Fab! Thanks for the answer and the clear explanation, super helpful.

1 Like