There's a reported ReDoS vulnerability with is-svg v4.2.1:

Vulnerable versions: >= 2.1.0, < 4.2.2
Patched version: 4.2.2

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

is-svg is a dependency of imagemin-svgo, which is a dependency of image-webpack-loader. Current latest release of imagemin-svgo 9.0.0 ("imagemin-svgo": "^8.0.0" used here) is still using is-svgo 4.2.1, but there's an open issue and pr in that repo to bump the dependency up, so ideally image-webpack-loader would upgrade imagemin-svgo once that fix is in.

Hello. Is there a plan to upgrade the dependency within the image-webpack-loader?
The issue mentioned above imagemin/imagemin-svgo#45 has been closed.

imagemin-svgo was updated to version 9.0.0 in Release 8.0.0 (as visible in the CHANGELOG.md), so I think this issue can be closed.