The current version of bootstrap-loader has a hard-versioned dependency on loader-utils 1.2.3.

loader-utils < 1.4.1 has a critical CVE (9.8/10) (CVE-2022-37601) - https://nvd.nist.gov/vuln/detail/CVE-2022-37601

Is there any chance this lib can be bumped without causing issues?

Looks like #410 resolves this.

Is there a scheduled NPM release that may include this?

@justin808 sorry to be so persistent.. I see that @dargmuesli asked a couple of weeks ago in #410 if you would tag a new release. Can that please happen? This CVE is extremely serious.

@plasticlobster I just pushed 4.0.2.

@plasticlobster I just pushed 4.0.2.

Thanks so much! This cleared our critical dependabot alerts...

There's a less serious CVE-2022-37603 (7.5/10) that needs a version bump to loader-utils 1.4.2 to clear, but I'm able to force that install on my end using yarn.

It would be amazing if bootstrap-loader could change its dependency to ^1.0.0 (or better yet ^2.0.0) instead of hard-versioning on individual versions.

But I do appreciate you getting this released. It's a huge help. Thank you.