lqip-loader → url-regex vulnerability

[mulholo]

We've just had a CI warning for url-regex, a dependency of lqip-loader. lqip-loader does not seem to be actively maintained and I am not confident that the issue on their repo will be resolved anytime soon. My team and I feel a little uncomfortable about this dependency chain.

My questions are:

• What are your thoughts about moving away from lqip loader given that it appears to be unsupported?
• Are there any ideas about fixing this particular vulnerability?

[cyrilwanner]

What are your thoughts about moving away from lqip loader given that it appears to be unsupported?

I already moved away from this loader in the canary version. Actually, I moved away from all those different loaders as they introduced more problems than they have solved and it made maintaining this library hard in general. The custom loader is based on similar libraries and combines all features. That way, I can better control the dependency chain in the future in case a similar problem occurs.

Are there any ideas about fixing this particular vulnerability?

One way would be to already switch to the canary version. It is already considered stable and will be released soon when the missing features (?trace and ?sprite) are implemented. If you depend on those missing features or don't want to use a canary version, maybe manually pinning url-regex could work, depending on the version ranges in use.

[mulholo]

We use neither sprite or trace so that works just fine for us. Thanks!