Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade css-loader from 5.0.2 to 6.7.1 #40

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Upgrade css-loader from 5.0.2 to 6.7.1 #40

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link

Snyk has created this PR to upgrade css-loader from 5.0.2 to 6.7.1.

merge advice
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Warning: This is a major version upgrade, and may be a breaking change.

  • The recommended version is 23 versions ahead of your current version.
  • The recommended version was released 5 months ago, on 2022-03-08.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Regular Expression Denial of Service (ReDoS)
npm:underscore.string:20170908		 375/1000
Why? CVSS 7.5		 No Known Exploit
Improper Input Validation
SNYK-JS-URLPARSE-2407770		 375/1000
Why? CVSS 7.5		 Proof of Concept
Arbitrary File Write
SNYK-JS-TAR-1579155		 375/1000
Why? CVSS 7.5		 No Known Exploit
Arbitrary File Write
SNYK-JS-TAR-1579152		 375/1000
Why? CVSS 7.5		 No Known Exploit
Arbitrary File Write
SNYK-JS-TAR-1579147		 375/1000
Why? CVSS 7.5		 No Known Exploit
Arbitrary File Overwrite
SNYK-JS-TAR-1536531		 375/1000
Why? CVSS 7.5		 No Known Exploit
Arbitrary File Overwrite
SNYK-JS-TAR-1536528		 375/1000
Why? CVSS 7.5		 No Known Exploit
Remote Code Execution (RCE)
SNYK-JS-PACRESOLVER-1564857		 375/1000
Why? CVSS 7.5		 Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-NTHCHECK-1586032		 375/1000
Why? CVSS 7.5		 Proof of Concept
Server-side Request Forgery (SSRF)
SNYK-JS-NETMASK-1089716		 375/1000
Why? CVSS 7.5		 Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-MOMENT-2944238		 375/1000
Why? CVSS 7.5		 Proof of Concept
Directory Traversal
SNYK-JS-MOMENT-2440688		 375/1000
Why? CVSS 7.5		 No Known Exploit
Command Injection
SNYK-JS-LODASH-1040724		 375/1000
Why? CVSS 7.5		 Proof of Concept
Improper Verification of Cryptographic Signature
SNYK-JS-JSRSASIGN-2869122		 375/1000
Why? CVSS 7.5		 Proof of Concept
Prototype Pollution
SNYK-JS-JSONSCHEMA-1920922		 375/1000
Why? CVSS 7.5		 No Known Exploit
Prototype Pollution
SNYK-JS-GETOBJECT-1054932		 375/1000
Why? CVSS 7.5		 No Known Exploit
Remote Code Execution (RCE)
SNYK-JS-EJS-2803307		 375/1000
Why? CVSS 7.5		 Proof of Concept
Remote Memory Exposure
SNYK-JS-DNSPACKET-1293563		 375/1000
Why? CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-AXIOS-1579269		 375/1000
Why? CVSS 7.5		 Proof of Concept
Prototype Pollution
SNYK-JS-ASYNC-2441827		 375/1000
Why? CVSS 7.5		 Proof of Concept
Prototype Pollution
SNYK-JS-ASYNC-2441827		 375/1000
Why? CVSS 7.5		 Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIHTML-1296849		 375/1000
Why? CVSS 7.5		 Proof of Concept
Authorization Bypass Through User-Controlled Key
SNYK-JS-URLPARSE-2412697		 375/1000
Why? CVSS 7.5		 Proof of Concept
Authorization Bypass
SNYK-JS-URLPARSE-2407759		 375/1000
Why? CVSS 7.5		 Proof of Concept
Access Restriction Bypass
SNYK-JS-URLPARSE-2401205		 375/1000
Why? CVSS 7.5		 Proof of Concept
Open Redirect
SNYK-JS-URLPARSE-1533425		 375/1000
Why? CVSS 7.5		 Proof of Concept
Improper Input Validation
SNYK-JS-URLPARSE-1078283		 375/1000
Why? CVSS 7.5		 No Known Exploit
Arbitrary Code Injection
SNYK-JS-UNDERSCORE-1080984		 375/1000
Why? CVSS 7.5		 Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-UGLIFYJS-1727251		 375/1000
Why? CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-TERSER-2806366		 375/1000
Why? CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-TERSER-2806366		 375/1000
Why? CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-POSTCSS-1090595		 375/1000
Why? CVSS 7.5		 Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-PATHPARSE-1077067		 375/1000
Why? CVSS 7.5		 Proof of Concept
Information Exposure
SNYK-JS-NODEFETCH-2342118		 375/1000
Why? CVSS 7.5		 No Known Exploit
Information Exposure
SNYK-JS-NANOID-2332193		 375/1000
Why? CVSS 7.5		 Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKDOWNIT-2331914		 375/1000
Why? CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905		 375/1000
Why? CVSS 7.5		 Proof of Concept
Cryptographic Weakness
SNYK-JS-JSRSASIGN-1244072		 375/1000
Why? CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-I-1726768		 375/1000
Why? CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-HOSTEDGITINFO-1088355		 375/1000
Why? CVSS 7.5		 Proof of Concept
Race Condition
SNYK-JS-GRUNT-2813632		 375/1000
Why? CVSS 7.5		 Proof of Concept
Directory Traversal
SNYK-JS-GRUNT-2635969		 375/1000
Why? CVSS 7.5		 Proof of Concept
Information Exposure
SNYK-JS-FOLLOWREDIRECTS-2332181		 375/1000
Why? CVSS 7.5		 Proof of Concept
Information Exposure
SNYK-JS-EVENTSOURCE-2823375		 375/1000
Why? CVSS 7.5		 Proof of Concept
Cryptographic Issues
SNYK-JS-ELLIPTIC-1064899		 375/1000
Why? CVSS 7.5		 No Known Exploit
Arbitrary Code Injection
SNYK-JS-EJS-1049328		 375/1000
Why? CVSS 7.5		 Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-BROWSERSLIST-1090194		 375/1000
Why? CVSS 7.5		 Proof of Concept
Uninitialized Memory Exposure
npm:utile:20180614		 375/1000
Why? CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-TAR-1536758		 375/1000
Why? CVSS 7.5		 No Known Exploit
Prototype Pollution
SNYK-JS-MINIMIST-2429795		 375/1000
Why? CVSS 7.5		 Proof of Concept
Information Exposure
SNYK-JS-FOLLOWREDIRECTS-2396346		 375/1000
Why? CVSS 7.5		 No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: css-loader
  • 6.7.1 - 2022-03-08

    6.7.1 (2022-03-08)

    Bug Fixes

  • 6.7.0 - 2022-03-04

    6.7.0 (2022-03-04)

    Features

  • 6.6.0 - 2022-02-02

    6.6.0 (2022-02-02)

    Features

    • added the hashStrategy option (ca4abce)
  • 6.5.1 - 2021-11-03

    6.5.1 (2021-11-03)

    Bug Fixes

    • regression with unicode characters in locals (b7a8441)
    • runtime path generation (#1393) (feafea8)
  • 6.5.0 - 2021-10-26

    6.5.0 (2021-10-26)

    Features

    • support absolute URL in url() when experiments.buildHttp enabled (#1389) (8946be4)

    Bug Fixes

    • respect nosources in the devtool option (c60eff2)
  • 6.4.0 - 2021-10-09

    6.4.0 (2021-10-09)

    Features

    • generate more collision resistant for locals (c7db752)

    Bug Fixes

    • classes generation for client and server bundling (303a3a1)
  • 6.3.0 - 2021-09-18

    6.3.0 (2021-09-18)

    Features

    • added [folder] placeholder (a0dee4f)
    • added the exportType option with 'array', 'string' and 'css-style-sheet' values (c6d2066)
      • 'array' - the default export is Array with API for style-loader and other
      • 'string' - the default export is String you don't need to-string-loader loader anymore
      • 'css-style-sheet' - the default export is a constructable stylesheet, you can use import sheet from './styles.css' assert { type: 'css' }; like in a browser, more information you can find here
    • supported supports() and layer() functions in @ import at-rules (#1377) (bce2c17)
    • fix multiple merging multiple @ media at-rules (#1377) (bce2c17)

    Bug Fixes

  • 6.2.0 - 2021-07-19

    6.2.0 (2021-07-19)

    Features

    • allow the exportLocalsConvention option can be a function useful for named export (#1351) (3c4b357)
  • 6.1.0 - 2021-07-17

    6.1.0 (2021-07-17)

    Features

    Bug Fixes

  • 6.0.0 - 2021-07-15

    6.0.0 (2021-07-14)

    Notes

    • using ~ is deprecated when the esModules option is enabled (enabled by default) and can be removed from your code (we recommend it) (url(~package/image.png) -> url(package/image.png), @ import url(~package/style.css) -> @ import url(package/style.css), composes: import from '~package/one.css'; -> composes: import from 'package/one.css';), but we still support it for historical reasons. Why can you remove it? The loader will first try to resolve @ import/url()/etc as relative, if it cannot be resolved, the loader will try to resolve @ import/url()/etc inside node_modules or modules directories.
    • file-loader and url-loader are deprecated, please migrate on asset modules, since v6 css-loader is generating new URL(...) syntax, it enables by default built-in assets modules, i.e. type: 'asset' for all url()

    ⚠ BREAKING CHANGES

    • minimum supported Node.js version is 12.13.0
    • minimum supported webpack version is 5, we recommend to update to the latest version for better performance
    • for url and import options Function type was removed in favor Object type with the filter property, i.e. before { url: () => true }, now { url: { filter: () => true } } and before { import: () => true }, now { import: { filter: () => true } }
    • the modules.compileType option was removed in favor the modules.mode option with icss value, also the modules option can have icss string value
    • new URL() syntax used for url(), only when the esModules option is enabled (enabled by default), it means you can bundle CSS for libraries
    • data URI are handling in url(), it means you can register loaders for them, example
    • aliases with false value for url() now generate empty data URI (i.e. data:0,), only when the esModules option is enabled (enabled by default)
    • [ext] placeholder don't need . (dot) before for the localIdentName option, i.e. please change .[ext] on [ext] (no dot before)
    • [folder] placeholder was removed without replacement for the localIdentName option, please use a custom function if you need complex logic
    • [emoji] placeholder was removed without replacement for the localIdentName option, please use a custom function if you need complex logic
    • the localIdentHashPrefix was removed in favor the localIdentHashSalt option

    Features

    • supported resolve.byDependency.css resolve options for @ import
    • supported resolve.byDependency.icss resolve CSS modules and ICSS imports (i.e. composes/etc)
    • added modules.localIdentHashFunction, modules.localIdentHashDigest, modules.localIdentHashDigestLength options for better class hashing controlling
    • less dependencies

    Bug Fixes

    • better performance
    • fixed circular @ import
  • 5.2.7 - 2021-07-13
  • 5.2.6 - 2021-05-24
  • 5.2.5 - 2021-05-20
  • 5.2.4 - 2021-04-19
  • 5.2.3 - 2021-04-19
  • 5.2.2 - 2021-04-16
  • 5.2.1 - 2021-04-09
  • 5.2.0 - 2021-03-24
  • 5.1.4 - 2021-03-24
  • 5.1.3 - 2021-03-15
  • 5.1.2 - 2021-03-10
  • 5.1.1 - 2021-03-01
  • 5.1.0 - 2021-02-25
  • 5.0.2 - 2021-02-08
from css-loader GitHub release notes
Commit messages
Package name: css-loader

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@snyk-bot