Got an email from github today about a vulnerability in the loader-utils package on a DHIS2 app platform project and it seems this is an internal dependancy of the app platform. What action would you advise I take? Perhaps just updating to the latest version will resolve the issue.
@plinnegan thanks for posting!
The vulnerabilities in
loader-utils are of the types
prototype pollution and
denial of service. Since we only use
loader-utils through our dependency on webpack at build-time, the vulnerable library shouldn’t be ever exposed to untrusted input and therefore this shouldn’t be a legitimate security concern.
We will bump the version in app-platform once webpack fixes this. In the meantime you might be able to selectively upgrade the version of
loader-utils in your application lockfile, but I don’t believe this should be critical for the reason described above.
Fab! Thanks for the answer and the clear explanation, super helpful.