Upgrade loader-utils to 2.0.4 in storysource and source-loader

[mukundkatpatal]

… to resolve a critical security issue found by npm audit
I just upgraded the versions of the loader utils in source-loader and storysource to resolve the security finding from the npm audit

Issue: critical security vulnerability in the loader-utils

What I did

Upgraded the loader-utils to 2.0.4 in storysource and source-loader

How to test

loader-utils 2.0.0 - 2.0.3 || 3.0.0 - 3.2.0
Severity: critical
Prototype pollution in webpack loader-utils - GHSA-76p3-8jx3-jpfq
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-hhq3-ff78-jv3g
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-hhq3-ff78-jv3g
fix available via npm audit fix
node_modules/@storybook/addon-storysource/node_modules/loader-utils
node_modules/@storybook/angular/node_modules/loader-utils
node_modules/@storybook/builder-webpack5/node_modules/loader-utils
node_modules/@storybook/manager-webpack5/node_modules/loader-utils
node_modules/adjust-sourcemap-loader/node_modules/loader-utils
node_modules/babel-loader/node_modules/loader-utils
node_modules/loader-utils
node_modules/resolve-url-loader/node_modules/loader-utils
node_modules/style-loader/node_modules/loader-utils
node_modules/ts-loader/node_modules/loader-utils

If your answer is yes to any of these, please make sure to include it in your PR.

To @maintainers, I would like this to be patched for 6.5.13 versions.
Although this issue might have been fixed for 7-next, since there is no stable version 7, I need to have 6.5.14 as a stable version.

[JReinhold]

Thanks for being on top of this!
We should change this to version 2.0.4 instead of 2.0.3, and run yarn install in both packages to ensure yarn.locks are also being re-generated.

[ndelangen]

@shilman this should be patched to 6.5 ?

[shilman]

@ndelangen this is already targeting the main-prerelease branch

[bnussman-akamai]

@storybook/[email protected] uses [email protected] and [email protected] which is many years old which causes [email protected] to be installed. For the average storybook user, this didn't resolve the loader-utils vulnerabilities in Storybook.

@storybook/builder-webpack4 needs to update its css-loader version or storybook needs to stop shipping with webpack

[shilman]

@bnussman-akamai there are lots of security issues with webpack4. if you're concerned, please upgrade to the latest prerelease which gets rid of webpack4 entirely and handles all known npm audit issues.

npx sb@next upgrade --prerelease

WIP migration guide here https://chromatic-ui.notion.site/Storybook-7-migration-guide-dbf41fa347304eb2a5e9c69b34503937