Bump minimum required webpack version to 5.76.0 (#568)

This change addresses CVE-2023-28154 by requiring a non-affected version
of webpack (5.76.0 or higher).

While shakapacker itself is not directly impacted by this vulnerability,
as webpack is a peer dependency and there are no constraints preventing
developers from upgrading to a non-vulnerable version, this bump ensures
a safer default.

Note: The 5.99.x series was intentionally avoided due to its recent
release and the risk of last-minute bugs, as evidenced by several patch
upgrades in quick succession.

Additionally, using 5.76.0 provides more stability and flexibility,
including the ability to downgrade webpack if needed.

Supersedes #564, Fix #567

References:
- GHSA-hc6q-2mpp-qw7j

test

Co-authored-by: Derrick Granowski <granowski@gmail.com>

Author: tagliala

CHANGELOG.md

@@ -15,6 +15,7 @@ Changes since the last non-beta release.
 ### Changed
 
 - Instead of a fixed `core-js` version, take the current one from `node_modules` if available. [PR 556](https://github.com/shakacode/shakapacker/pull/556) by [alexeyr-ci2](https://github.com/alexeyr-ci2).
+- Require webpack >= 5.76.0 to reduce exposure to CVE-2023-28154. [PR 568](https://github.com/shakacode/shakapacker/pull/568) by [granowski](https://github.com/granowski).
 
 ### Fixed
 

package.json

@@ -33,18 +33,18 @@
     "eslint": "^8.0.0",
     "eslint-config-airbnb": "^19.0.0",
     "eslint-config-prettier": "^9.0.0",
-    "eslint-plugin-import": "^2.24.2",
+    "eslint-plugin-import": "^2.31.0",
     "eslint-plugin-jest": "^27.9.0",
-    "eslint-plugin-jsx-a11y": "^6.4.1",
-    "eslint-plugin-prettier": "^5.1.3",
-    "eslint-plugin-react": "^7.26.0",
+    "eslint-plugin-jsx-a11y": "^6.10.2",
+    "eslint-plugin-prettier": "^5.2.6",
+    "eslint-plugin-react": "^7.37.5",
     "eslint-plugin-react-hooks": "^4.6.0",
-    "jest": "^28.1.3",
+    "jest": "^29.7.0",
     "memory-fs": "^0.5.0",
     "prettier": "^3.2.5",
     "swc-loader": "^0.1.15",
     "thenify": "^3.3.1",
-    "webpack": "^5.72.0",
+    "webpack": "5.93.0",
     "webpack-assets-manifest": "^5.0.6",
     "webpack-merge": "^5.8.0"
   },
@@ -58,7 +58,7 @@
     "babel-loader": "^8.2.4 || ^9.0.0 || ^10.0.0",
     "compression-webpack-plugin": "^9.0.0 || ^10.0.0|| ^11.0.0",
     "terser-webpack-plugin": "^5.3.1",
-    "webpack": "^5.72.0",
+    "webpack": "^5.76.0",
     "webpack-assets-manifest": "^5.0.6 || ^6.0.0",
     "webpack-cli": "^4.9.2 || ^5.0.0 || ^6.0.0",
     "webpack-dev-server": "^4.9.0 || ^5.0.0",

spec/dummy/package.json

@@ -28,7 +28,7 @@
     "style-loader": "^3.3.1",
     "terser-webpack-plugin": "^5.3.3",
     "typescript": "^4.7.3",
-    "webpack": "^5.73.0",
+    "webpack": "^5.76.0",
     "webpack-assets-manifest": "^5.1.0",
     "webpack-cli": "^4.9.2",
     "webpack-merge": "^5.8.0",