Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency webpack to v5.76.0 [security] - autoclosed #1891

Closed
wants to merge 1 commit into from
Closed

fix(deps): update dependency webpack to v5.76.0 [security] - autoclosed #1891

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 16, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
webpack 5.68.0 -> 5.76.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-28154

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

Release Notes

webpack/webpack (webpack)

v5.76.0

Compare Source

Bugfixes

Features

Security

Repo Changes

New Contributors

Full Changelog: webpack/webpack@v5.75.0...v5.76.0

v5.75.0

Compare Source

Bugfixes

  • experiments.* normalize to false when opt-out
  • avoid NaN%
  • show the correct error when using a conflicting chunk name in code
  • HMR code tests existance of window before trying to access it
  • fix eval-nosources-* actually exclude sources
  • fix race condition where no module is returned from processing module
  • fix position of standalong semicolon in runtime code

Features

  • add support for @import to extenal CSS when using experimental CSS in node
  • add i64 support to the deprecated WASM implementation

Developer Experience

  • expose EnableWasmLoadingPlugin
  • add more typings
  • generate getters instead of readonly properties in typings to allow overriding them

v5.74.0

Compare Source

Features

  • add resolve.extensionAlias option which allows to alias extensions
    • This is useful when you are forced to add the .js extension to imports when the file really has a .ts extension (typescript + "type": "module")
  • add support for ES2022 features like static blocks
  • add Tree Shaking support for ProvidePlugin

Bugfixes

  • fix persistent cache when some build dependencies are on a different windows drive
  • make order of evaluation of side-effect-free modules deterministic between concatenated and non-concatenated modules
  • remove left-over from debugging in TLA/async modules runtime code
  • remove unneeded extra 1s timestamp offset during watching when files are actually untouched
    • This sometimes caused an additional second build which are not really needed
  • fix shareScope option for ModuleFederationPlugin
  • set "use-credentials" also for same origin scripts

Performance

  • Improve memory usage and performance of aggregating needed files/directories for watching
    • This affects rebuild performance

Extensibility

  • export HarmonyImportDependency for plugins

v5.73.0

Compare Source

Features

  • add options for default dynamicImportMode and prefetch and preload
  • add support for import { createRequire } from "module" in source code

Bugfixes

  • fix code generation of e. g. return"field"in Module
  • fix performance of large JSON modules
  • fix performance of async modules evaluation

Developer Experience

  • export PathData in typings
  • improve error messages with more details

v5.72.1

Compare Source

Bugfixes

  • fix __webpack_nonce__ with HMR
  • fix in operator in some cases
  • fix json parsing error messages
  • fix module concatenation with using this.importModule
  • upgrade enhanced-resolve

v5.72.0

Compare Source

Features

  • make cache warnings caused by build errors less verbose
  • Allow banner to be placed as a footer with the BannerPlugin
  • allow to concatenate asset modules

Bugfixes

  • fix RemoteModules when using HMR (Module Federation + HMR)
  • throw error when using module concatenation and cacheUnaffected
  • fix in operator with nested exports

v5.71.0

Compare Source

Features

  • choose smarter default for uniqueName when using a output.library which includes placeholders
  • add support for expressions with in of a imported binding
  • generate UMD code with arrow functions when possible

Bugfixes

  • fix source map source names for ContextModule to be relative
  • fix chunkLoading option in module module
  • fix edge case where evaluateExpression returns null
  • retain optional chaining in imported bindings
  • include runtime code for the base URI even if not using chunk loading
  • don't throw errors in persistent caching when importing node.js builtin modules via ESM
  • fix crash when using lazy-once Context modules
  • improve handling of context modules with multiple contexts
  • fix race condition HMR chunk loading when importing chunks during HMR updating
  • handle errors in runAsChild callback

v5.70.0

Compare Source

Features

  • update node.js version constraints for ESM support
  • add baseUri to entry options to configure a static base uri (the base of new URL())
  • alphabetically sort exports in namespace objects when possible
  • add __webpack_exports_info__.name.canMangle
  • add proxy support to experiments.buildHttp
  • import.meta.webpackContext as ESM alternative to require.context
  • handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module

Bugfixes

  • fix problem when assigning global to a variable
  • fix crash when using experiments.outputModule and loaderContext.importModule with multiple chunks
  • avoid generating progress output before the compilation has started (ProgressPlugin)
  • fix handling of non-static-ESM dependencies with using TLA and HMR in the same module
  • include the asset module filename in hashing
  • output.clean will keep HMR assets for at least 10s to allow HMR to access them even when compilation is faster then the browser

Performance

  • fix asset caching when using the BannerPlugin

Developer Experience

  • improve typings

Contributing

  • capture caching errors when running the test suite

v5.69.1

Compare Source

Revert

  • revert "handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module"

v5.69.0

Compare Source

Features

  • automatically switch to an ESM compatible environment when enabling ESM output mode
  • handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module
  • add util/types to node.js built-in modules
  • add __webpack_exports_info__.<name>.canMangle api

Bugfixes

  • fix bug in chunk graph generation which leads to modules being included in chunk desprite them being already included in parent chunks
  • avoid writing more than 2GB at once during cache serialization (as workaround for node.js/libuv bug on MacOS)
  • fix handling of whitespaces in semver ranges when using Module Federation
  • avoid generating hashes which contain only numbers as they likely conflict with module ids
  • fix resource name based placeholders for data uris
  • fix cache serialization for context elements
  • fix passing of stage option when instrumenting plugins for the ProfilingPlugin
  • fix tracking of declarations in concatenated modules to avoid conflicts
  • fix unstable mangling of exports
  • fix handling of # in paths of loaders
  • avoid unnecessary cache update when using experiments.buildHttp

Contributing

  • update typescript and jest

Developer Experience

  • expose some additional typings for usage in webpack-cli

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from 6b11228 to 7018981 Compare March 24, 2023 23:06
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from 7018981 to 0679809 Compare April 18, 2023 20:23
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch 3 times, most recently from c9ea38f to f72234a Compare June 4, 2023 10:56
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch 2 times, most recently from d64f9af to fc49be2 Compare June 18, 2023 09:41
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch 2 times, most recently from 1db8e17 to 5fc073e Compare July 6, 2023 10:15
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from 5fc073e to ce75044 Compare July 9, 2023 11:44
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch 3 times, most recently from 5be34b3 to cb92758 Compare July 23, 2023 10:05
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch 2 times, most recently from 6d70613 to 6a2c784 Compare August 1, 2023 13:45
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from 6a2c784 to a374711 Compare August 9, 2023 12:21
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch 2 times, most recently from 1cff8d2 to b0db1a3 Compare August 27, 2023 10:25
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from b0db1a3 to bb91006 Compare September 19, 2023 14:04
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch 2 times, most recently from 35e4962 to 15b7239 Compare September 28, 2023 13:55
@renovate renovate bot changed the title fix(deps): update dependency webpack to v5.76.0 [security] fix(deps): update dependency webpack to v5.76.0 [security] - autoclosed Oct 1, 2023
@renovate renovate bot closed this Oct 1, 2023
@renovate renovate bot deleted the renovate/npm-webpack-vulnerability branch October 1, 2023 12:07
@renovate renovate bot changed the title fix(deps): update dependency webpack to v5.76.0 [security] - autoclosed fix(deps): update dependency webpack to v5.76.0 [security] Oct 1, 2023
@renovate renovate bot reopened this Oct 1, 2023
@renovate renovate bot restored the renovate/npm-webpack-vulnerability branch October 1, 2023 16:00
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from 15b7239 to fcb5c59 Compare October 1, 2023 16:01
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch 2 times, most recently from 92b7d50 to 8824e5c Compare October 15, 2023 11:35
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from 8824e5c to 6d3fec7 Compare October 23, 2023 15:42
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from 6d3fec7 to fcd8939 Compare November 6, 2023 07:21
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from fcd8939 to 81b1658 Compare November 16, 2023 12:18
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from 81b1658 to be93cbf Compare December 3, 2023 09:27
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from be93cbf to 2f82541 Compare January 14, 2024 07:24
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch 2 times, most recently from fb73035 to ddcaa97 Compare February 4, 2024 11:20
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from ddcaa97 to a0f1781 Compare February 25, 2024 09:39
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from a0f1781 to a9a1d00 Compare March 9, 2024 12:57
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from a9a1d00 to 0ea14e6 Compare March 9, 2024 13:13
@renovate renovate bot changed the title fix(deps): update dependency webpack to v5.76.0 [security] fix(deps): update dependency webpack to v5.76.0 [security] - autoclosed Mar 9, 2024
@renovate renovate bot closed this Mar 9, 2024
@renovate renovate bot deleted the renovate/npm-webpack-vulnerability branch March 9, 2024 14:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants