[Snyk] Upgrade webpack-cli from 4.10.0 to 6.0.1

[Sec32fun32]

Snyk has created this PR to upgrade webpack-cli from 4.10.0 to 6.0.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 10 versions ahead of your current version.

• The recommended version was released a month ago.

Release notes

Package name: webpack-cli

• 6.0.1 - 2024-12-20
  

  6.0.1 (2024-12-20)

  Bug Fixes

  • update peer dependencies (#4356) (7a7e5d9)
• 6.0.0 - 2024-12-19
  

  6.0.0 (2024-12-19)

  BREAKING CHANGES

  • the minimum required Node.js version is 18.12.0
  • removed init, loader and plugin commands in favor create-webpack-app
  • dropped support for webpack-dev-server@v4
  • minimum supported webpack version is 5.82.0

  Bug Fixes

  • allow to require webpack.config.js in ESM format (#4346) (5106684)
  • correct the minimum help output (#4057) (c727c4f)
  • gracefully shutting down (#4145) (90720e2)
  • improve help output for possible values (#4316) (4cd5aef)
  • no serve when dev-server is false (#2947) (a93e860)

  Features

  • output pnpm version with info/version command (#3906) (38f3c6f)
• 5.1.4 - 2023-06-07
• 5.1.3 - 2023-06-04
• 5.1.2 - 2023-06-04
• 5.1.1 - 2023-05-09
• 5.1.0 - 2023-05-07
• 5.0.2 - 2023-04-21
• 5.0.1 - 2022-12-05
• 5.0.0 - 2022-11-17
• 4.10.0 - 2022-06-13

from webpack-cli GitHub release notes

---

Important

• Warning: This PR contains a major version upgrade, and may be a breaking change.
• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@11ty/eleventy-fetch@4.0.1	environment, filesystem, network	+9	617 kB	zachleat
npm/@11ty/eleventy-img@3.1.8	filesystem	+8	733 kB	zachleat
npm/@11ty/eleventy-navigation@0.3.5	None	+1	57 kB	zachleat
npm/@11ty/eleventy-plugin-rss@1.2.0	None	0	8.71 kB	zachleat
npm/@11ty/eleventy-plugin-syntaxhighlight@5.0.0	None	0	72.7 kB	zachleat
npm/@11ty/eleventy@2.0.1	environment, filesystem, unsafe Transitive: eval, network, shell	+71	15.6 MB	zachleat
npm/@munter/tap-render@0.2.0	None	0	16.9 kB	munter
npm/@types/markdown-it@12.2.3	None	+2	58.1 kB	types
npm/algoliasearch@4.24.0	Transitive: network	+15	612 kB	shortcuts
npm/autoprefixer@10.4.20	environment	+2	293 kB	ai
npm/cross-env@7.0.3	environment	0	29.1 kB	kentcdodds
npm/cssnano@7.0.6	Transitive: filesystem	+4	154 kB	ludovicofischer
npm/eleventy-plugin-nesting-toc@1.3.0	None	+13	2.71 MB	jshurmer
npm/github-slugger@1.5.0	None	0	13.5 kB	wooorm
npm/hyperlink@5.0.4	network Transitive: environment, eval, filesystem, shell, unsafe	+111	12.5 MB	papandreou
npm/imagemin-cli@7.0.0	Transitive: environment, eval, filesystem, network, shell, unsafe	+167	7.2 MB	sindresorhus
npm/luxon@2.5.2	None	0	3.87 MB	icambron
npm/markdown-it-anchor@8.6.7	None	0	154 kB	valeriangalliat
npm/markdown-it-container@3.0.0	None	0	17.1 kB	vitaly
npm/markdown-it@12.3.2	None	+3	664 kB	vitaly
npm/npm-run-all2@5.0.2	environment	+2	158 kB	bret

🚮 Removed packages: npm/@babel/core@7.26.0, npm/@babel/preset-env@7.26.0, npm/@eslint/core@0.9.1, npm/@eslint/js@9.17.0, npm/@eslint/json@0.8.0, npm/@trunkio/launcher@1.3.4, npm/@types/node@20.17.14, npm/@typescript-eslint/parser@8.20.0, npm/@wdio/browser-runner@9.5.7, npm/@wdio/cli@9.5.7, npm/@wdio/concise-reporter@9.5.0, npm/@wdio/mocha-framework@9.5.0, npm/babel-loader@8.4.1, npm/c8@7.14.0, npm/chai@4.5.0, npm/eslint-plugin-eslint-plugin@6.4.0, npm/eslint-plugin-expect-type@0.6.2, npm/eslint-plugin-yml@1.16.0, npm/eslint-release@3.3.0, npm/eslint-rule-composer@0.3.0, npm/eslump@3.0.0, npm/fs-teardown@0.1.3

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Deprecated	npm/abab@2.0.6	Reason: Use your platform's native atob() and btoa() methods instead	docs/package.json	⚠︎
Deprecated	npm/har-validator@5.1.5	Reason: this library is no longer supported	Source	⚠︎
Deprecated	npm/@hapi/hoek@8.5.1	Reason: This version has been deprecated and is no longer supported or maintained	Source	⚠︎
Deprecated	npm/@hapi/joi@15.1.1	Reason: Switch to 'npm install joi'	Source	⚠︎
Deprecated	npm/@hapi/topo@3.1.6	Reason: This version has been deprecated and is no longer supported or maintained	Source	⚠︎
Deprecated	npm/@hapi/address@2.1.4	Reason: Moved to 'npm install @sideway/address'	Source	⚠︎
Deprecated	npm/@hapi/bourne@1.3.2	Reason: This version has been deprecated and is no longer supported or maintained	Source	⚠︎
High CVE	npm/cross-spawn@5.1.0	CVE: GHSA-3xgq-45jj-v275 Regular Expression Denial of Service (ReDoS) in cross-spawn (HIGH) Affected versions: < 6.0.6 Patched version: 6.0.6	docs/package.json	⚠︎
Deprecated	npm/rimraf@2.7.1	Reason: Rimraf versions prior to v4 are no longer supported	docs/package.json	⚠︎
High CVE	npm/lodash.template@4.5.0	CVE: GHSA-35jh-r3h4-6jhm Command Injection in lodash (HIGH) Affected versions: <= 4.5.0 Patched version: No patched versions	Source	⚠︎
Deprecated	npm/domexception@2.0.1	Reason: Use your platform's native DOMException instead	docs/package.json	⚠︎
High CVE	npm/trim-newlines@1.0.0	CVE: GHSA-7p7h-4mm5-852v Uncontrolled Resource Consumption in trim-newlines (HIGH) Affected versions: < 3.0.1 Patched version: 3.0.1	Source	⚠︎
High CVE	npm/html-minifier@4.0.0	CVE: GHSA-pfq8-rq6v-vf5m kangax html-minifier REDoS vulnerability (HIGH) Affected versions: <= 4.0.0 Patched version: No patched versions	docs/package.json	⚠︎
Unpopular package	npm/@munter/tap-render@0.2.0	Location: Package overview	docs/package.json	⚠︎
Unpopular package	npm/hyperlink@5.0.4	Location: Package overview	docs/package.json	⚠︎
Unpopular package	npm/assetgraph-plugin-sitemap@1.0.0	Location: Package overview	docs/package.json	⚠︎
Unpopular package	npm/hreftypes@1.0.1	Location: Package overview	docs/package.json	⚠︎
Unpopular package	npm/@parcel/watcher-linux-arm-musl@2.5.0	Location: Package overview	Source	⚠︎
High CVE	npm/http-cache-semantics@3.8.1	CVE: GHSA-rc47-6667-2j5j http-cache-semantics vulnerable to Regular Expression Denial of Service (HIGH) Affected versions: < 4.1.1 Patched version: 4.1.1	docs/package.json	⚠︎
Deprecated	npm/glob@7.2.3	Reason: Glob versions prior to v9 are no longer supported	docs/package.json	⚠︎
Unstable ownership	npm/form-data@3.0.2	Author: ljharb	docs/package.json	⚠︎
Deprecated	npm/core-js@2.6.12	Reason: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.	Source	⚠︎

View full report↗︎

Next steps

What is a deprecated package?

The maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed.

Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

What is a CVE?

Contains a high severity Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

What are unpopular packages?

This package is not very popular.

Unpopular packages may have less maintenance and contain other problems.

What is unstable ownership?

A new collaborator has begun publishing package versions. Package stability and security risk may be elevated.

Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/abab@2.0.6
• @SocketSecurity ignore npm/har-validator@5.1.5
• @SocketSecurity ignore npm/@hapi/hoek@8.5.1
• @SocketSecurity ignore npm/@hapi/joi@15.1.1
• @SocketSecurity ignore npm/@hapi/topo@3.1.6
• @SocketSecurity ignore npm/@hapi/address@2.1.4
• @SocketSecurity ignore npm/@hapi/bourne@1.3.2
• @SocketSecurity ignore npm/cross-spawn@5.1.0
• @SocketSecurity ignore npm/rimraf@2.7.1
• @SocketSecurity ignore npm/lodash.template@4.5.0
• @SocketSecurity ignore npm/domexception@2.0.1
• @SocketSecurity ignore npm/trim-newlines@1.0.0
• @SocketSecurity ignore npm/html-minifier@4.0.0
• @SocketSecurity ignore npm/@munter/tap-render@0.2.0
• @SocketSecurity ignore npm/hyperlink@5.0.4
• @SocketSecurity ignore npm/assetgraph-plugin-sitemap@1.0.0
• @SocketSecurity ignore npm/hreftypes@1.0.1
• @SocketSecurity ignore npm/@parcel/watcher-linux-arm-musl@2.5.0
• @SocketSecurity ignore npm/http-cache-semantics@3.8.1
• @SocketSecurity ignore npm/glob@7.2.3
• @SocketSecurity ignore npm/form-data@3.0.2
• @SocketSecurity ignore npm/core-js@2.6.12

[github-actions]

Hi everyone, it looks like we lost track of this pull request. Please review and see what the next steps are. This pull request will auto-close in 7 days without an update.

[github-actions]

This pull request was auto-closed due to inactivity. While we wish we could keep working on every request, we unfortunately don't have the bandwidth to continue here and need to focus on other things. You can resubmit this pull request if you would like to continue working on it.