Got an email from github today about a vulnerability in the loader-utils package on a DHIS2 app platform project and it seems this is an internal dependancy of the app platform. What action would you advise I take? Perhaps just updating to the latest version will resolve the issue.
Thank you for your post @plinnegan! I’m reposting this to @dhis2-security and someone from the security team will have a look.
@plinnegan thanks for posting!
The vulnerabilities in loader-utils
are of the types prototype pollution
and denial of service
. Since we only use loader-utils
through our dependency on webpack at build-time, the vulnerable library shouldn’t be ever exposed to untrusted input and therefore this shouldn’t be a legitimate security concern.
We will bump the version in app-platform once webpack fixes this. In the meantime you might be able to selectively upgrade the version of loader-utils
in your application lockfile, but I don’t believe this should be critical for the reason described above.
Fab! Thanks for the answer and the clear explanation, super helpful.