Gathering detailed insights and metrics for loader-utils
Gathering detailed insights and metrics for loader-utils
Installations
npm install loader-utilsDeveloper
webpack
Developer Guide
BETA
Module System
CommonJS
Min. Node Version
>= 12.13.0
Typescript Support
No
Node Version
18.19.0
NPM Version
10.2.3
Statistics
766 Stars
256 Commits
185 Forks
19 Watching
4 Branches
112 Contributors
Updated on 05 Nov 2024
Languages
JavaScript (100%)
Total Downloads
Cumulative downloads
Total Downloads
11,289,794,825
Last day
-4.7%
9,604,700
Compared to previous day
Last week
2%
51,115,175
Compared to previous week
Last month
14.3%
211,580,226
Compared to previous month
Last year
-14.9%
2,371,573,832
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dev Dependencies
6
Versions
loader-utils
Methods
urlToRequest
Converts some resource URL to a webpack module request.
i Before call
urlToRequestyou need callisUrlRequestto ensure it is requestable url
1const url = "path/to/module.js"; 2 3if (loaderUtils.isUrlRequest(url)) { 4 // Logic for requestable url 5 const request = loaderUtils.urlToRequest(url); 6} else { 7 // Logic for not requestable url 8}
Simple example:
1const url = "path/to/module.js"; 2const request = loaderUtils.urlToRequest(url); // "./path/to/module.js"
Module URLs
Any URL containing a ~ will be interpreted as a module request. Anything after the ~ will be considered the request path.
1const url = "~path/to/module.js"; 2const request = loaderUtils.urlToRequest(url); // "path/to/module.js"
Root-relative URLs
URLs that are root-relative (start with /) can be resolved relative to some arbitrary path by using the root parameter:
1const url = "/path/to/module.js"; 2const root = "./root"; 3const request = loaderUtils.urlToRequest(url, root); // "./root/path/to/module.js"
To convert a root-relative URL into a module URL, specify a root value that starts with ~:
1const url = "/path/to/module.js"; 2const root = "~"; 3const request = loaderUtils.urlToRequest(url, root); // "path/to/module.js"
interpolateName
Interpolates a filename template using multiple placeholders and/or a regular expression.
The template and regular expression are set as query params called name and regExp on the current loader's context.
1const interpolatedName = loaderUtils.interpolateName( 2 loaderContext, 3 name, 4 options 5);
The following tokens are replaced in the name parameter:
[ext]the extension of the resource[name]the basename of the resource[path]the path of the resource relative to thecontextquery parameter or option.[folder]the folder the resource is in[query]the queryof the resource, i.e.?foo=bar[contenthash]the hash ofoptions.content(Buffer) (by default it's the hex digest of thexxhash64hash)[<hashType>:contenthash:<digestType>:<length>]optionally one can configure- other
hashTypes, i. e.xxhash64,sha1,md4(wasm version),native-md4(cryptomodule version),md5,sha256,sha512 - other
digestTypes, i. e.hex,base26,base32,base36,base49,base52,base58,base62,base64,base64safe - and
lengththe length in chars
- other
[hash]the hash ofoptions.content(Buffer) (by default it's the hex digest of thexxhash64hash)[<hashType>:hash:<digestType>:<length>]optionally one can configure- other
hashTypes, i. e.xxhash64,sha1,md4(wasm version),native-md4(cryptomodule version),md5,sha256,sha512 - other
digestTypes, i. e.hex,base26,base32,base36,base49,base52,base58,base62,base64,base64safe - and
lengththe length in chars
- other
[N]the N-th match obtained from matching the current file name againstoptions.regExp
In loader context [hash] and [contenthash] are the same, but we recommend using [contenthash] for avoid misleading.
digestType with base64safe don't contain /, + and = symbols.
Examples
1// loaderContext.resourcePath = "/absolute/path/to/app/js/javascript.js" 2loaderUtils.interpolateName(loaderContext, "js/[hash].script.[ext]", { content: ... }); 3// => js/9473fdd0d880a43c21b7778d34872157.script.js 4 5// loaderContext.resourcePath = "/absolute/path/to/app/js/javascript.js" 6// loaderContext.resourceQuery = "?foo=bar" 7loaderUtils.interpolateName(loaderContext, "js/[hash].script.[ext][query]", { content: ... }); 8// => js/9473fdd0d880a43c21b7778d34872157.script.js?foo=bar 9 10// loaderContext.resourcePath = "/absolute/path/to/app/js/javascript.js" 11loaderUtils.interpolateName(loaderContext, "js/[contenthash].script.[ext]", { content: ... }); 12// => js/9473fdd0d880a43c21b7778d34872157.script.js 13 14// loaderContext.resourcePath = "/absolute/path/to/app/page.html" 15loaderUtils.interpolateName(loaderContext, "html-[hash:6].html", { content: ... }); 16// => html-9473fd.html 17 18// loaderContext.resourcePath = "/absolute/path/to/app/flash.txt" 19loaderUtils.interpolateName(loaderContext, "[hash]", { content: ... }); 20// => c31e9820c001c9c4a86bce33ce43b679 21 22// loaderContext.resourcePath = "/absolute/path/to/app/img/image.png" 23loaderUtils.interpolateName(loaderContext, "[sha512:hash:base64:7].[ext]", { content: ... }); 24// => 2BKDTjl.png 25// use sha512 hash instead of xxhash64 and with only 7 chars of base64 26 27// loaderContext.resourcePath = "/absolute/path/to/app/img/myself.png" 28// loaderContext.query.name = 29loaderUtils.interpolateName(loaderContext, "picture.png"); 30// => picture.png 31 32// loaderContext.resourcePath = "/absolute/path/to/app/dir/file.png" 33loaderUtils.interpolateName(loaderContext, "[path][name].[ext]?[hash]", { content: ... }); 34// => /app/dir/file.png?9473fdd0d880a43c21b7778d34872157 35 36// loaderContext.resourcePath = "/absolute/path/to/app/js/page-home.js" 37loaderUtils.interpolateName(loaderContext, "script-[1].[ext]", { regExp: "page-(.*)\\.js", content: ... }); 38// => script-home.js 39 40// loaderContext.resourcePath = "/absolute/path/to/app/js/javascript.js" 41// loaderContext.resourceQuery = "?foo=bar" 42loaderUtils.interpolateName( 43 loaderContext, 44 (resourcePath, resourceQuery) => { 45 // resourcePath - `/app/js/javascript.js` 46 // resourceQuery - `?foo=bar` 47 48 return "js/[hash].script.[ext]"; 49 }, 50 { content: ... } 51); 52// => js/9473fdd0d880a43c21b7778d34872157.script.js
getHashDigest
1const digestString = loaderUtils.getHashDigest( 2 buffer, 3 hashType, 4 digestType, 5 maxLength 6);
bufferthe content that should be hashedhashTypeone ofxxhash64,sha1,md4,md5,sha256,sha512or any other node.js supported hash typedigestTypeone ofhex,base26,base32,base36,base49,base52,base58,base62,base64,base64safemaxLengththe maximum length in chars
License
Stable Version
The latest stable version of the package.
Stable Version
3.3.1
CRITICAL
2
CRITICAL
9.8/10
Summary
Prototype pollution in webpack loader-utils
Affected Versions
< 1.4.1
Patched Versions
1.4.1
CRITICAL
9.8/10
Summary
Prototype pollution in webpack loader-utils
Affected Versions
>= 2.0.0, < 2.0.3
Patched Versions
2.0.3
HIGH
6
HIGH
7.5/10
Summary
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable
Affected Versions
>= 3.0.0, < 3.2.1
Patched Versions
3.2.1
HIGH
7.5/10
Summary
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable
Affected Versions
>= 2.0.0, < 2.0.4
Patched Versions
2.0.4
HIGH
7.5/10
Summary
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable
Affected Versions
>= 1.0.0, < 1.4.2
Patched Versions
1.4.2
HIGH
7.5/10
Summary
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
Affected Versions
>= 3.0.0, < 3.2.1
Patched Versions
3.2.1
HIGH
7.5/10
Summary
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
Affected Versions
>= 2.0.0, < 2.0.4
Patched Versions
2.0.4
HIGH
7.5/10
Summary
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
Affected Versions
>= 1.0.0, < 1.4.2
Patched Versions
1.4.2
Reason
no dangerous workflow patterns detected
Reason
GitHub workflow tokens follow principle of least privilege
Details
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/nodejs.yml:19
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/nodejs.yml:20
- Info: topLevel 'contents' permission set to 'read': .github/workflows/nodejs.yml:14
- Info: no jobLevel write permissions found
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
- Info: Found text in security policy: SECURITY.md:1
Reason
5 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Reason
Found 7/26 approved changesets -- score normalized to 2
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/loader-utils/nodejs.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/loader-utils/nodejs.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/nodejs.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/loader-utils/nodejs.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/loader-utils/nodejs.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/loader-utils/nodejs.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:84: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/loader-utils/nodejs.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/nodejs.yml:97: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/loader-utils/nodejs.yml/master?enable=pin
- Info: 0 out of 5 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 2 third-party GitHubAction dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 20 are checked with a SAST tool
Score
5.1
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More