Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency webpack to v5.76.0 [security] #181

Merged
merged 1 commit into from
Feb 10, 2024
Merged

chore(deps): update dependency webpack to v5.76.0 [security] #181

merged 1 commit into from
Feb 10, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 18, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
webpack 5.49.0 -> 5.76.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-28154

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

Release Notes

webpack/webpack (webpack)

v5.76.0

Compare Source

Bugfixes

Features

Security

Repo Changes

New Contributors

Full Changelog: webpack/webpack@v5.75.0...v5.76.0

v5.75.0

Compare Source

Bugfixes

  • experiments.* normalize to false when opt-out
  • avoid NaN%
  • show the correct error when using a conflicting chunk name in code
  • HMR code tests existance of window before trying to access it
  • fix eval-nosources-* actually exclude sources
  • fix race condition where no module is returned from processing module
  • fix position of standalong semicolon in runtime code

Features

  • add support for @import to extenal CSS when using experimental CSS in node
  • add i64 support to the deprecated WASM implementation

Developer Experience

  • expose EnableWasmLoadingPlugin
  • add more typings
  • generate getters instead of readonly properties in typings to allow overriding them

v5.74.0

Compare Source

Features

  • add resolve.extensionAlias option which allows to alias extensions
    • This is useful when you are forced to add the .js extension to imports when the file really has a .ts extension (typescript + "type": "module")
  • add support for ES2022 features like static blocks
  • add Tree Shaking support for ProvidePlugin

Bugfixes

  • fix persistent cache when some build dependencies are on a different windows drive
  • make order of evaluation of side-effect-free modules deterministic between concatenated and non-concatenated modules
  • remove left-over from debugging in TLA/async modules runtime code
  • remove unneeded extra 1s timestamp offset during watching when files are actually untouched
    • This sometimes caused an additional second build which are not really needed
  • fix shareScope option for ModuleFederationPlugin
  • set "use-credentials" also for same origin scripts

Performance

  • Improve memory usage and performance of aggregating needed files/directories for watching
    • This affects rebuild performance

Extensibility

  • export HarmonyImportDependency for plugins

v5.73.0

Compare Source

Features

  • add options for default dynamicImportMode and prefetch and preload
  • add support for import { createRequire } from "module" in source code

Bugfixes

  • fix code generation of e. g. return"field"in Module
  • fix performance of large JSON modules
  • fix performance of async modules evaluation

Developer Experience

  • export PathData in typings
  • improve error messages with more details

v5.72.1

Compare Source

Bugfixes

  • fix __webpack_nonce__ with HMR
  • fix in operator in some cases
  • fix json parsing error messages
  • fix module concatenation with using this.importModule
  • upgrade enhanced-resolve

v5.72.0

Compare Source

Features

  • make cache warnings caused by build errors less verbose
  • Allow banner to be placed as a footer with the BannerPlugin
  • allow to concatenate asset modules

Bugfixes

  • fix RemoteModules when using HMR (Module Federation + HMR)
  • throw error when using module concatenation and cacheUnaffected
  • fix in operator with nested exports

v5.71.0

Compare Source

Features

  • choose smarter default for uniqueName when using a output.library which includes placeholders
  • add support for expressions with in of a imported binding
  • generate UMD code with arrow functions when possible

Bugfixes

  • fix source map source names for ContextModule to be relative
  • fix chunkLoading option in module module
  • fix edge case where evaluateExpression returns null
  • retain optional chaining in imported bindings
  • include runtime code for the base URI even if not using chunk loading
  • don't throw errors in persistent caching when importing node.js builtin modules via ESM
  • fix crash when using lazy-once Context modules
  • improve handling of context modules with multiple contexts
  • fix race condition HMR chunk loading when importing chunks during HMR updating
  • handle errors in runAsChild callback

v5.70.0

Compare Source

Features

  • update node.js version constraints for ESM support
  • add baseUri to entry options to configure a static base uri (the base of new URL())
  • alphabetically sort exports in namespace objects when possible
  • add __webpack_exports_info__.name.canMangle
  • add proxy support to experiments.buildHttp
  • import.meta.webpackContext as ESM alternative to require.context
  • handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module

Bugfixes

  • fix problem when assigning global to a variable
  • fix crash when using experiments.outputModule and loaderContext.importModule with multiple chunks
  • avoid generating progress output before the compilation has started (ProgressPlugin)
  • fix handling of non-static-ESM dependencies with using TLA and HMR in the same module
  • include the asset module filename in hashing
  • output.clean will keep HMR assets for at least 10s to allow HMR to access them even when compilation is faster then the browser

Performance

  • fix asset caching when using the BannerPlugin

Developer Experience

  • improve typings

Contributing

  • capture caching errors when running the test suite

v5.69.1

Compare Source

Revert

  • revert "handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module"

v5.69.0

Compare Source

Features

  • automatically switch to an ESM compatible environment when enabling ESM output mode
  • handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module
  • add util/types to node.js built-in modules
  • add __webpack_exports_info__.<name>.canMangle api

Bugfixes

  • fix bug in chunk graph generation which leads to modules being included in chunk desprite them being already included in parent chunks
  • avoid writing more than 2GB at once during cache serialization (as workaround for node.js/libuv bug on MacOS)
  • fix handling of whitespaces in semver ranges when using Module Federation
  • avoid generating hashes which contain only numbers as they likely conflict with module ids
  • fix resource name based placeholders for data uris
  • fix cache serialization for context elements
  • fix passing of stage option when instrumenting plugins for the ProfilingPlugin
  • fix tracking of declarations in concatenated modules to avoid conflicts
  • fix unstable mangling of exports
  • fix handling of # in paths of loaders
  • avoid unnecessary cache update when using experiments.buildHttp

Contributing

  • update typescript and jest

Developer Experience

  • expose some additional typings for usage in webpack-cli

v5.68.0

Compare Source

Features

  • allow to disable compile time evaluation of import.meta.url
  • add __webpack_module__ and __webpack_module__.id to the api

Bugfixes

  • fix handling of errors thrown in async modules

v5.67.0

Compare Source

Features

  • add 'outputPath' configuration option for resource asset modules
  • support Trusted Types in eval source maps
  • experiments.css
    • allow to generate only exports for css in node
    • add SyncModuleIdsPlugin to sync module ids between server and client compilation
    • add more options to the DeterministicModuleIdsPlugin to allow to generate equal ids

Developer Experience

  • limit data url module name in stats printer
  • allow specific description for CLI options
  • improve space limiting algorithm in stats printing to show partial lists
  • add null to errors in callbacks
  • fix call signature types of addChunkInGroup

Bugfixes

  • avoid reporting non-existant package.jsons as dependencies
  • experiments.css
    • fix missing css runtime when only initial css is used
    • fix css hmr support
    • bugfixes to css modules
  • fix cache serialization for CreateScriptUrlDependency
  • fix data url content when processed by a loader
  • fix regexp in identifiers that include |
  • fix ProfilingPlugin for watch scenarios
  • add layer to module names and identifiers
    • this avoid random module id changes when additional modules are added to another layer
  • provide hashFunction parameter to DependencyTemplates to allow customizing it there
  • fix HMR when experiments.lazyCompilation is enabled
  • store url as Buffer to avoid serialization warnings
  • exclude webpack-hot-middleware/client from lazy compilation

Contributing

  • remove travis configuration
  • improve spell checking

v5.66.0

Compare Source

Features

Bugfixes

  • fix CORS headers for experiments.lazyCompilation
  • fix [absolute-resource-path] for SourceMap module naming
  • avoid stack overflow when accessing many memory cached cache values in series

Performance

  • reduce default watchOptions.aggregateTimeout to 20ms

v5.65.0

Compare Source

Features

  • static evaluation understands undefined now
  • reduce container entry code by a few chars
  • use template literals when available and they make sense

Bugfixes

  • handle singleton flag without requiredVersion in Module Federation
  • upgrade watchpack for context time info bugfix

Performance

  • improve RegExp in error message formating for non-quadratic performance

Developer Experience

  • automatically insert brackets when output.globalObject contains a non-trival expression
  • show error when using script type external with invalid syntax
  • expose types for Resolver, StatsOptions and ResolvePluginInstance

Preparations for the future

  • hashDigestLength will default to 16 in webpack 6 (experiments.futureDefaults)

v5.64.4

Compare Source

Bugfixes

  • fix tagged template literal evaluation
  • fix ModuleFederation with ESM
  • fix outputModule with intial splitChunks

Performance

  • upgrade watchpack for faster watcher updating
  • track file and directory timestamps separately in watchpack and webpack

Developer Experience

  • show origin of singleton shared module in mismatch warning

v5.64.3

Compare Source

Performance

  • allow to use pre-compiled schema when Infinity is used in configuration
  • allow to use pre-compiled schema for configuration arrays

v5.64.2

Compare Source

Bugfixes

  • avoid double initial compilation due to invalid dependencies with managedPaths

v5.64.1

Compare Source

Bugfixes

  • fix regexp in managedPaths to exclude additional slash
  • make module.accept errorHandler optional in typings
  • correctly create an async chunk when using a require(...).property in require.ensure
  • fix cleaning of symlinks in output.clean: true
  • fix change detection with unsafeCache within managedPaths (node_modules)
  • bump webpack-sources for Stack Overflow bugfix

v5.64.0

Compare Source

Features

  • add asyncChunks: boolean option to disable creation of async chunks

Bugfixes

  • fix ProfilingPlugin for experiments.backCompat: false

Performance

  • avoid running regexp twice over the file list

v5.63.0

Compare Source

Features

  • allow passing chunkLoading: false to disable on-demand loading

Bugfixes

  • fix import 'single-quote' in esm build dependencies

v5.62.2

Compare Source

Bugfixes

  • fix __system_context__ injection when using the library option on entrypoint
  • enable exportsPresence: "error" by default in futureDefaults
  • fix bad performance for a RegExp in Stats printing (with large error messages)
  • fix exportPresence -> exportsPresence typo
  • fix a bug with module invalidation when only module id changes with experiments.cacheUnaffected

v5.62.1

Compare Source

Bugfix

  • fix invalid generated code when omitting ;

v5.62.0

Compare Source

Features

  • add options to configure export presence checking
    • parser.javascript.reexportExportsPresence: false allows to disable warnings for non-existing exports during the migration from export ... from "..." to export type ... from "..." for type reexports in TypeScript
  • add experiments.backCompat: false to disable some expensive deprecations for better performance

Bugfixes

  • use ['catch'] instead of .catch for better ES3 support
  • fix removed parentheses when using new (require("...")).Something()
  • fix { require } object literals
  • splitChunks.chunks option is now correctly used for splitChunks.fallbackCacheGroup.maxSize too
  • fix schema of listen option, allow to omit port
  • add better support for Promises from different isolates

Developer Experience

  • add typings for the webpack API that is available within modules
    • use /// <reference types="webpack/module" /> to use the typings in typescript modules
    • or "types": [..., "webpack/module"] in tsconfig

v5.61.0

Compare Source

Bugfixes

  • use a wasm md4 implementation for node 17 support
  • include the path submodules in the node.js default externals

Performance

  • improve string to binary conversion performance for hashing

Contribution

  • CI runs on node.js 17

v5.60.0

Compare Source

Features

  • Allow to pass more options to experiments.lazyCompilation. e. g. port, https stuff

Bugfixes

  • fix output.hashFunction used to persistent caching too
  • Initialize buildDependencies Set correctly when loaders are added in beforeLoaders hook

v5.59.1

Compare Source

Bugfixes

  • fix regexp in managedPaths
  • fix hanging when trying to write lockfile for experiments.buildHttp

v5.59.0

Compare Source

Features

  • add /*#__PURE__*/ for Object() in generated code
  • add RegExp and function support for managed/immutablePaths
  • add hooks for multiple phases in module build
  • improvements to experiments.buildHttp
    • allow to share cache
    • add allowlist
  • add splitChunks.minSizeReduction option

Bugfixes

  • fix memory caching for Data URLs
  • fix crash in waitFor when modules are unsafe cached
  • fix bug in build cycle detection

v5.58.2

Compare Source

Bugfixes

  • fix serialization context passed
  • fix a bug which caused module duplication when using persistent caching, unsafe cache and memory cache with GC
  • fix validation of snapshots of non-existing directories

Performance

v5.58.1

Compare Source

Bugfixes

  • fix .webpack[] suffix to not execute rules
  • revert performance optimization that has too large memory usage in large builds

v5.58.0

Compare Source

Features

  • add hook for readResource
  • add diagnostics_channel to node builtins

Performance

  • improve chunk graph creation performance
    • add cacheUnaffected cache support
  • remove some caching that makes not difference
  • improve splitChunks performance
  • improve chunk conditions performance

v5.57.1

Compare Source

Bugfix

  • fix experiments.cacheUnaffected which broke by last release

v5.57.0

Compare Source

Performance

  • reduce number of hash.update calls
  • allow ExternalModules to be unsafe cached
  • improve hashing performance of module lists (StringXor)

Bugfixes

  • experiments.cacheUnaffected
    • handle module/chunk id changes correctly
    • cache modules with async blocks
    • show errors when using incompatible options

v5.56.1

Compare Source

Bugfix

  • DefinePlugin: fix conflict with older variants of the plugin

v5.56.0

Compare Source

Performance

  • make DefinePlugin rebuild check more efficient performance and memory wise

v5.55.1

Compare Source

Bugfixes

  • fixes for experiments.cacheUnaffected
    • fix accidentically shared mem caches
    • avoid RuntimeSpecMap in favor of directly setting on memCache
    • compare references modules when restoring mem cache

v5.55.0

Compare Source

Performance

  • experiments.cacheUnaffected
    • reduce cache memory usage
    • make memCache per module
    • cache ESM reexport computation
  • module.unsafeCache
    • make it faster by moving it to Compilation-level instead of in NormalModuleFactory
    • omit tracking resolve dependencies since they are not used when unsafe cache is enabled
  • module graph
    • lazy assign ModuleGraphConnections to Dependencies since that is only accessed when uncached

v5.54.0

Compare Source

Features

  • improve constant folding to allow to skip more branches for && || and ??
  • allow all hashing using in webpack to be configured with output.hashFunction
  • no longer bailout completely from inner graph analysis when eval is used in a module

Bugfixes

  • force bump enhanced-resolve for bugfixes

Performance

  • reduce number of allocation when creating snapshots
  • add output.hashFunction: "xxhash64" for a super fast wasm based hash function
  • improve utf-8 conversion when serializing short strings
  • improve hashing performance for dependencies
  • add experiments.cacheUnaffected which caches computations for modules that are unchanged and reference only unchanged modules

v5.53.0

Compare Source

Features

  • add node.__dirname/__filename: "warn-mock" which warns on usage (will be enabled in webpack 6 by default)

Bugfixes

  • add stream/web to Node.js externals
  • fix IgnorePluginSchema
  • fix builds with persistent caching taking 1 minute to build at least

Experiments

  • add experiments.futureDefaults to enable defaults for webpack 6

v5.52.1

Compare Source

Performance

  • split fresh created persistent cache files by time to avoid creating very large files

v5.52.0

Compare Source

Feature

  • experiments.executeModule is enabled by default and the option is removed
    • loaders are now free to use this.importModule

Bugfixes

  • fix generated __WEBPACK_EXTERNAL_MODULE_null__, which leads to merged externals
  • .webpack[...] extension is not part of matching and module name

v5.51.2

Compare Source

Bugfixes

  • fix crash in FileSystemInfo when errors occur
  • avoid property access of reserved properties
  • fix reexports from async modules
  • automatically close an active watching when closing the compiler
  • when filenames of other runtimes are referenced that need a full hash, upgrade referencing runtime moduel to full hash mode too
    • fixes a bug where [contenthash] is undefined when using new Worker

v5.51.1

Compare Source

Bugfixes

  • library: "module" propages top-level-await correctly
  • fix crash in filesystem snapshotting when trying to snapshot a non-existing directory
  • fix some context-dependent logic in concatenated modules and source url handling

v5.51.0

Compare Source

Bugfixes

  • correctly keep chunk loading state when the chunk loading logic is HMR updated
    • This fixes some edge cases that e. g. occur when using lazy compilation for entrypoints. It is now able to HMR update that instead of needing a manual reload. Also see fixes in webpack-dev-server@4.
  • track and resolve symlinks for filesystem snapshotting
    • This fixes some cases of circular yarn linking of dependencies.
    • It also fixes some problems when using package managers that use symlinks to deduplicate (e. g. cnpm or pnpm)
  • pass the resulting module in the callbacks of Compilation.addModuleChain and Compilation.addModuleTree

v5.50.0

Compare Source

Features

Performance

  • disable cache compression by default as it tend to make performance worse
    • I could still be enabled again for specific scenarios
  • reduce the number of allocations during cache serialization
    • This improves performance and memory usage

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch 4 times, most recently from f67647c to 419455f Compare March 24, 2023 21:34
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from 419455f to b4afca8 Compare February 10, 2024 18:20
@renovate renovate bot merged commit dded092 into next Feb 10, 2024
4 checks passed
@renovate renovate bot deleted the renovate/npm-webpack-vulnerability branch February 10, 2024 22:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants