Skip to content

Bump loader-utils to 2.0.3+ (transitive) to fix critical prototype pollution alert#88

Open
technicalpickles wants to merge 1 commit into
mainfrom
fix-loader-utils-vuln
Open

Bump loader-utils to 2.0.3+ (transitive) to fix critical prototype pollution alert#88
technicalpickles wants to merge 1 commit into
mainfrom
fix-loader-utils-vuln

Conversation

@technicalpickles

Copy link
Copy Markdown
Contributor

Summary

Fixes Dependabot alert #3 (critical): loader-utils prototype pollution, vulnerable range >=2.0.0 <2.0.3.

loader-utils@2.0.2 lives in d3_graph_generator/yarn.lock and is purely transitive, hoisted through six react-scripts-bundled loaders (react-refresh-webpack-plugin, @svgr/webpack, babel-loader, file-loader, resolve-url-loader, adjust-sourcemap-loader), all of which request ^2.0.0.

Rather than add a direct dependency to break the vulnerable range, this uses yarn's resolutions field, scoped to those six requester paths, to force the hoisted instance up to 2.0.4. There's a separate, unrelated loader-utils@3.2.0 resolved for react-dev-utils (outside the vulnerable range) that this deliberately leaves alone, a bare "loader-utils" resolution key would have collapsed both instances into one and silently downgraded that unrelated 3.x install.

Verification

yarn why loader-utils before:

=> Found "loader-utils@2.0.2"
info Has been hoisted to "loader-utils"
   - Hoisted from "react-scripts#@pmmmwh#react-refresh-webpack-plugin#loader-utils"
   - Hoisted from "react-scripts#@svgr#webpack#loader-utils"
   - Hoisted from "react-scripts#babel-loader#loader-utils"
   - Hoisted from "react-scripts#file-loader#loader-utils"
   - Hoisted from "react-scripts#resolve-url-loader#loader-utils"
   - Hoisted from "react-scripts#resolve-url-loader#adjust-sourcemap-loader#loader-utils"
=> Found "react-dev-utils#loader-utils@3.2.0"

yarn why loader-utils after:

=> Found "loader-utils@2.0.4"
info Has been hoisted to "loader-utils"
   (same six requesters)
=> Found "react-dev-utils#loader-utils@3.2.0"   <- unchanged

git diff touches only d3_graph_generator/package.json (the resolutions addition) and d3_graph_generator/yarn.lock.

This repo's CI (ci.yml) doesn't build or test the d3_graph_generator subproject at all, it's a standalone dev tool invoked manually via yarn start. I ran yarn build locally to sanity check and it fails on both this branch and main with an unrelated pre-existing error (@babel/helper-compilation-targets: 'opera_mobile' is not a valid target), a stale caniuse-lite/browserslist issue in this old CRA setup, unrelated to loader-utils and out of scope here.

Test plan

  • yarn why loader-utils confirms hoisted instance is now 2.0.4, all six requesters satisfied
  • Confirmed the unrelated react-dev-utils loader-utils@3.2.0 block is untouched in the lockfile diff
  • Confirmed yarn build failure is pre-existing on main (unrelated to this change)

…j-7488)

loader-utils@2.0.2 was hoisted transitively through six react-scripts
loaders (react-refresh-webpack-plugin, @svgr/webpack, babel-loader,
file-loader, resolve-url-loader, adjust-sourcemap-loader), all pinned to
^2.0.0. Rather than add a direct dependency to break the vulnerable
range, this uses yarn resolutions scoped to those six requester paths so
the hoisted instance resolves to 2.0.4. react-dev-utils's separate
loader-utils@3.2.0 (not in the vulnerable range) is untouched.

Fixes: https://github.com/rubyatscale/visualize_packs/security/dependabot/3
@github-project-automation github-project-automation Bot moved this to Triage in Modularity Jul 9, 2026
@technicalpickles technicalpickles marked this pull request as ready for review July 9, 2026 17:48
@technicalpickles technicalpickles requested a review from a team as a code owner July 9, 2026 17:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Triage

Development

Successfully merging this pull request may close these issues.

1 participant