loader-utils security issue

[jschuler]

Hi,

We are trying to remove traces of loader-utils @ v2 from our project OCM, due to a security scan issue https://issues.redhat.com/browse/HAC-2306

Flaw:

CVE-2022-37599 loader-utils: regular expression denial of service in interpolateName.js
https://bugzilla.redhat.com/show_bug.cgi?id=2134872

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

loader-utils prior to version 3 is deprecated and no longer supported

External Reference:
https://github.com/webpack/loader-utils/issues/211

https://github.com/RedHatInsights/frontend-components/blob/master/packages/config-utils/chrome-render-loader.js
uses loader-utils getOptions method.

There are 2 issues:

• There is an implicit dependency on loader-utils since it's not in package.json
• The implicit dependency is for version 2 of loader-utils, version 3 removed the method in favor of loaderContext

Can this function call be removed?
Thanks!

[Hyperkid123]

@jschuler yeah, this custom webpack loader should no longer be required as we no longer consume custom HTML templates of individual modules.

[jschuler]

@Hyperkid123 ok thank you, sounds like I can remove our usage of that loader then

[Hyperkid123]

Correct.