fix: remove webpack-inject-plugin dependency

[ar10642]

An attempt to replace the dependency on webpack-inject-plugin with the Webpack BannerPlugin instead.

All tests pass, it seems to work in my local project that uses it. Apologies if I've missed something here or not done something I was supposed to. I am doing this because my company has a requirement for libraries to not have critical security issues.

As mentioned in #454

[kissifrot]

Wish it could be merged 🙏

[mdriessen]

@tobias-93 This issue also showed up in our security scans. Can this fix be merged?

critical │ Prototype pollution in webpack loader-utils
Package │ loader-utils
Patched in │ >=1.4.1
Dependency of │ fos-router
Path │ fos-router > webpack-inject-plugin > loader-utils
More info │ https://www.npmjs.com/advisories/1094088

[tobias-93]

Hi @ar10642, sorry for the delayed response. What did you change in router.js and router.min.js? If it is just line endings then please revert, so the scope of this change is as clean as possible. Then I can merge this, I cannot test since I'm not using this method in my projects but if other developers see this work it's good to me. Thanks!

[tacman]

On a related note, with AssetMapper I've been using the npm version of fos-router.

bin/console importmap:require fos-routing

[Crovitche-1623]

Hi @tobias-93 do you know if it's normal that there are not version above 2.4.6 on npm ?

see https://www.npmjs.com/package/fos-router

I would like to install the bundle independently of the Symfony files and only have the JS files on NPM.

[Crovitche-1623]

@tobias-93 What do you think if this bundle could implement what's done on Symfony UX to release automatically on NPM ?

see https://github.com/symfony/ux/blob/2.x/.github/workflows/release-on-npm.yaml