Installed babel-loader 8.1.0 today, still seeing this from npm list:

Npm vulnerability: https://www.npmjs.com/advisories/1179
@createthis loader-utils has a json5@^1.0.1 dep, which has a minimist@^1.2.0 dep... you can try removing the minimist entry in your lockfile to grab the latest.
@existentialism I did rm package-lock.json && npm install && npm list. It's still the same result.
Looks like updating dep to loader-utils 2.0.0 would resolve the situation as it would pull in [email protected]. However, that's a breaking change so users can't do it from package.json.
@createthis clearing the audit warning definitely doesn't require loader-utils@2, this repo itself uses dep and doesn't have the warning!
Instead of killing the whole lockfile, maybe try removing just the [email protected] entry and running npm i?
Or try npm --depth 9999 update minimist
Adding "minimist": "^1.2.3", to package.json solves the problem, it's just less than ideal.
It shouldn't be needed. There is a reason if almost everyone uses ^ in their dependencies: it's to automatically get updates :man_shrugging:
if you add the following below browserlist in package.json:
"resolutions": {
"minimist": "^1.2.3"
}
then delete node_modules and run
npx npm-force-resolutions && npm install
it will resolve the issue
@existentialism can be closed, because it is fixed a long time ago, need regenerate lock file
Most helpful comment
It shouldn't be needed. There is a reason if almost everyone uses
^in their dependencies: it's to automatically get updates :man_shrugging: