Bundle Analysis Tools are riddled with vulnerabilities

[matthewtusker]

Dependabot is screaming at us because the Webpack Bundle Analysis plugin is pulling in vulnerable dependencies. There have been no commits to that repo in 10 months, is it dead? Am I supposed to remove it and stop using bundle analysis? I've asked in that repo (started a discussion, raised an issue listing the vulnerabilities) and have had zero response.

[matthewtusker]

The vulnerabilities exist in bundler-plugin-core, so they affect all Javascript bundle analysis tools, not just the Webpack plugin.

[rlorenzo]

Yeah, I am also getting alerts on issues from npm.

@codecov/vite-plugin@1.9.1
  @codecov/bundler-plugin-core@1.9.1
    @actions/github@6.0.1
      undici@5.29.0

5 High-severity vulnerabilities in undici:

• GHSA-g9mf-h72j-4rw9: unbounded decompression chain in HTTP responses
• GHSA-2mjp-6q6p-2qxm: HTTP request/response smuggling
• GHSA-vrm6-8vpv-qv8q: unbounded WebSocket memory consumption
• GHSA-v9p9-hfj2-hcw8: unhandled WebSocket exception
• GHSA-4992-7rv2-5pvq: CRLF injection via upgrade option