-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency webpack to v5.76.0 [security] #145
Open
renovate
wants to merge
1
commit into
master
Choose a base branch
from
renovate/npm-webpack-vulnerability
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
March 23, 2023 21:44
eef9b7e
to
75f2d15
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
April 3, 2023 10:15
75f2d15
to
a0cfa14
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
April 17, 2023 12:13
a0cfa14
to
89684cd
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
2 times, most recently
from
June 4, 2023 09:20
72f6bff
to
cabc379
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
2 times, most recently
from
June 18, 2023 08:48
b2252a0
to
e473133
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
June 29, 2023 11:13
e473133
to
a7e27ba
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
3 times, most recently
from
July 9, 2023 10:51
754ea8f
to
52d198d
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
2 times, most recently
from
July 19, 2023 10:09
e9b3b02
to
5ae204c
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
2 times, most recently
from
August 1, 2023 16:20
c2ff94a
to
966931b
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
August 9, 2023 12:49
966931b
to
f6282f9
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
2 times, most recently
from
August 27, 2023 11:58
4f860b3
to
e82a1e8
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
September 19, 2023 11:07
e82a1e8
to
68ea3f3
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
2 times, most recently
from
September 28, 2023 16:41
7a805a3
to
06d16a9
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
2 times, most recently
from
October 15, 2023 15:17
2f953ad
to
9ede4e7
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
October 23, 2023 12:48
9ede4e7
to
12327cd
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
November 6, 2023 07:01
12327cd
to
7b081bc
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
2 times, most recently
from
November 16, 2023 11:14
c102ca0
to
21a6961
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
December 3, 2023 12:01
21a6961
to
c734c43
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
2 times, most recently
from
February 4, 2024 09:26
389de53
to
0548dd4
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
February 25, 2024 11:07
0548dd4
to
8353f7b
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
March 12, 2024 12:40
8353f7b
to
26c52de
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
2 times, most recently
from
March 24, 2024 13:41
98f5067
to
f093072
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
2 times, most recently
from
April 21, 2024 08:58
fc533cd
to
f9252b1
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
April 25, 2024 07:40
f9252b1
to
16368eb
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
June 4, 2024 14:45
16368eb
to
21d89de
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
July 21, 2024 13:53
21d89de
to
336b8e2
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
August 6, 2024 10:29
336b8e2
to
bc2a4be
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
August 28, 2024 09:42
bc2a4be
to
86004cd
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
October 9, 2024 10:09
86004cd
to
63fe3f6
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
None yet
0 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.0.0
->5.76.0
GitHub Vulnerability Alerts
CVE-2023-28154
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Release Notes
webpack/webpack (webpack)
v5.76.0
Compare Source
Bugfixes
generatedCode
info to fix bug in asset module cache restoration by @ryanwilsonperkin in https://github.com/webpack/webpack/pull/16703hashRegExp
lookup by @ryanwilsonperkin in https://github.com/webpack/webpack/pull/16759Features
target
toLoaderContext
type by @askoufis in https://github.com/webpack/webpack/pull/16781Security
Repo Changes
New Contributors
Full Changelog: webpack/webpack@v5.75.0...v5.76.0
v5.75.0
Compare Source
Bugfixes
experiments.*
normalize tofalse
when opt-outNaN%
window
before trying to access iteval-nosources-*
actually exclude sourcesFeatures
@import
to extenal CSS when using experimental CSS in nodei64
support to the deprecated WASM implementationDeveloper Experience
EnableWasmLoadingPlugin
v5.74.0
Compare Source
Features
resolve.extensionAlias
option which allows to alias extensions.js
extension to imports when the file really has a.ts
extension (typescript +"type": "module"
)ProvidePlugin
Bugfixes
shareScope
option forModuleFederationPlugin
"use-credentials"
also for same origin scriptsPerformance
Extensibility
HarmonyImportDependency
for pluginsv5.73.0
Compare Source
Features
dynamicImportMode
and prefetch and preloadimport { createRequire } from "module"
in source codeBugfixes
return"field"in Module
Developer Experience
PathData
in typingsv5.72.1
Compare Source
Bugfixes
__webpack_nonce__
with HMRin
operator in some casesthis.importModule
v5.72.0
Compare Source
Features
Bugfixes
in
operator with nested exportsv5.71.0
Compare Source
Features
uniqueName
when using aoutput.library
which includes placeholdersin
of a imported bindingBugfixes
chunkLoading
option in module moduleevaluateExpression
returnsnull
lazy-once
Context modulesrunAsChild
callbackv5.70.0
Compare Source
Features
baseUri
toentry
options to configure a static base uri (the base ofnew URL()
)__webpack_exports_info__.name.canMangle
experiments.buildHttp
import.meta.webpackContext
as ESM alternative torequire.context
Bugfixes
global
to a variableexperiments.outputModule
andloaderContext.importModule
with multiple chunksoutput.clean
will keep HMR assets for at least 10s to allow HMR to access them even when compilation is faster then the browserPerformance
Developer Experience
Contributing
v5.69.1
Compare Source
Revert
v5.69.0
Compare Source
Features
resolve.alias
orresolve.modules
) when creating an context moduleutil/types
to node.js built-in modules__webpack_exports_info__.<name>.canMangle
apiBugfixes
stage
option when instrumenting plugins for the ProfilingPlugin#
in paths of loadersexperiments.buildHttp
Contributing
Developer Experience
v5.68.0
Compare Source
Features
__webpack_module__
and__webpack_module__.id
to the apiBugfixes
v5.67.0
Compare Source
Features
experiments.css
SyncModuleIdsPlugin
to sync module ids between server and client compilationDeterministicModuleIdsPlugin
to allow to generate equal idsDeveloper Experience
null
to errors in callbacksBugfixes
experiments.css
|
webpack-hot-middleware/client
from lazy compilationContributing
v5.66.0
Compare Source
Features
output.library.type: "commonjs-static"
to emit a statically analyse-able commonjs module (for node.js esm interop support)experiments.css
(very experimental)Bugfixes
experiments.lazyCompilation
[absolute-resource-path]
for SourceMap module namingPerformance
watchOptions.aggregateTimeout
to 20msv5.65.0
Compare Source
Features
undefined
nowBugfixes
singleton
flag withoutrequiredVersion
in Module Federationwatchpack
for context time info bugfixPerformance
Developer Experience
output.globalObject
contains a non-trival expressionscript
type external with invalid syntaxResolver
,StatsOptions
andResolvePluginInstance
Preparations for the future
hashDigestLength
will default to 16 in webpack 6 (experiments.futureDefaults
)v5.64.4
Compare Source
Bugfixes
Performance
Developer Experience
v5.64.3
Compare Source
Performance
Infinity
is used in configurationv5.64.2
Compare Source
Bugfixes
v5.64.1
Compare Source
Bugfixes
require(...).property
inrequire.ensure
output.clean: true
unsafeCache
withinmanagedPaths
(node_modules)v5.64.0
Compare Source
Features
asyncChunks: boolean
option to disable creation of async chunksBugfixes
experiments.backCompat: false
Performance
v5.63.0
Compare Source
Features
chunkLoading: false
to disable on-demand loadingBugfixes
import 'single-quote'
in esm build dependenciesv5.62.2
Compare Source
Bugfixes
__system_context__
injection when using thelibrary
option on entrypointexportsPresence: "error"
by default infutureDefaults
exportPresence
->exportsPresence
typoexperiments.cacheUnaffected
v5.62.1
Compare Source
Bugfix
;
v5.62.0
Compare Source
Features
parser.javascript.reexportExportsPresence: false
allows to disable warnings for non-existing exports during the migration fromexport ... from "..."
toexport type ... from "..."
for type reexports in TypeScriptexperiments.backCompat: false
to disable some expensive deprecations for better performanceBugfixes
['catch']
instead of.catch
for better ES3 supportnew (require("...")).Something()
{ require }
object literalssplitChunks.chunks
option is now correctly used forsplitChunks.fallbackCacheGroup.maxSize
toolisten
option, allow to omitport
Developer Experience
/// <reference types="webpack/module" />
to use the typings in typescript modules"types": [..., "webpack/module"]
in tsconfigv5.61.0
Compare Source
Bugfixes
path
submodules in the node.js default externalsPerformance
Contribution
v5.60.0
Compare Source
Features
experiments.lazyCompilation
. e. g. port, https stuffBugfixes
output.hashFunction
used to persistent caching toobuildDependencies
Set correctly when loaders are added inbeforeLoaders
hookv5.59.1
Compare Source
Bugfixes
experiments.buildHttp
v5.59.0
Compare Source
Features
/*#__PURE__*/
forObject()
in generated codemanaged/immutablePaths
experiments.buildHttp
splitChunks.minSizeReduction
optionBugfixes
waitFor
when modules are unsafe cachedv5.58.2
Compare Source
Bugfixes
Performance
v5.58.1
Compare Source
Bugfixes
.webpack[]
suffix to not execute rulesv5.58.0
Compare Source
Features
diagnostics_channel
to node builtinsPerformance
v5.57.1
Compare Source
Bugfix
v5.57.0
Compare Source
Performance
Bugfixes
v5.56.1
Compare Source
Bugfix
v5.56.0
Compare Source
Performance
v5.55.1
Compare Source
Bugfixes
experiments.cacheUnaffected
v5.55.0
Compare Source
Performance
experiments.cacheUnaffected
module.unsafeCache
v5.54.0
Compare Source
Features
&&
||
and??
output.hashFunction
eval
is used in a moduleBugfixes
Performance
output.hashFunction: "xxhash64"
for a super fast wasm based hash functionexperiments.cacheUnaffected
which caches computations for modules that are unchanged and reference only unchanged modulesv5.53.0
Compare Source
Features
node.__dirname/__filename: "warn-mock"
which warns on usage (will be enabled in webpack 6 by default)Bugfixes
stream/web
to Node.js externalsExperiments
experiments.futureDefaults
to enable defaults for webpack 6v5.52.1
Compare Source
Performance
v5.52.0
Compare Source
Feature
experiments.executeModule
is enabled by default and the option is removedthis.importModule
Bugfixes
__WEBPACK_EXTERNAL_MODULE_null__
, which leads to merged externals.webpack[...]
extension is not part of matching and module namev5.51.2
Compare Source
Bugfixes
[contenthash]
is undefined when usingnew Worker
v5.51.1
Compare Source
Bugfixes
library: "module"
propages top-level-await correctlyv5.51.0
Compare Source
Bugfixes
yarn link
ing of dependencies.Compilation.addModuleChain
andCompilation.addModuleTree
v5.50.0
Compare Source
Features
#! ...
) are now handled by webpackPerformance
v5.49.0
Compare Source
Features
experiments.buildHttp
to buildhttp(s)://
imports instead of keeping them externalwebpack.lock
file with integrity andwebpack.lock.data
with cached content that should be committed(might be disabled with
experiments.buildHttp.upgrade: false
)(exception:
Cache-Control: no-cache
).webpack.lock.data
persisting can be disabled withexperiments.buildHttp.cacheLocation: false
.That will will introduce a availability risk.
(webpack cache will be used to cache network responses)
Bugfixes
splitChunks.maxSize
introduces in the last releasebail
is setPerformance
v5.48.0
Compare Source
Features
Bugfixes
v5.47.1
Compare Source
Bugfixes
v5.47.0
Compare Source
Performance
Bugfixes
"use strict"
s in module modev5.46.0
Compare Source
Features
stats.reasonsSpace
andstats.groupReasonsByOrigin
Bugfixes
Performance
v5.45.1
Compare Source
Bugfixes
assert
in other placesimport(/* webpackPrefetch: true */ ...)
no longer breaks library outputv5.45.0
Compare Source
Features
Bugfixes
.cjs
output filesPerformance
Contributing
v5.44.0
Compare Source
Features
output.module
+optimization.runtimeChunk
Bugfixes
v5.43.0
Compare Source
Features
runtime: false
in entry description to disable runtime chunkruntime
option in ModuleFederationPlugin and ContainerPluginBugfixes
"module"
externals when concatenatedPerformance
v5.42.1
Compare Source
Bugfixes
jsonData
ordataUrl
of undefinedv5.42.0
Compare Source
Features
cache.compression
Bugfixes
node-commonjs
to schema forexternalsType
system
externalsPerformance
v5.41.1
Compare Source
Bugfixes
Performance
v5.41.0
Compare Source
Features
cache.idleTimeoutAfterLargeChanges
to control thatBugfixes
Experiments
experiments.outputModule: true
)output.library.type: "module"
: very basic support, no live bindings, unnecessary runtime codeoutput.chunkLoading: "import"
output.chunkFormat: "module"
externalsType: "module"
generates nowimport * as X from "..."
(in a module) orimport("...")
(in a script)import { createRequire } from "module"
in a modulenew Worker
etc. sets `type: "module"v5.40.0
Compare Source
Features
node:
prefixed requests as node.js externalsinstanceof Promise
in favor ofp && typeof p.then === "function"
to allow mixing different Promise implementionsBugfixes
Performance
Developer Experience
Buffer
inthis.emitFile
typings (loader context)reset
cli argument descriptionv5.39.1
Compare Source
Bugfixes
v5.39.0
Compare Source
Features
import()
context (import with expression)Bugfixes
cache.allowCollectingMemory
Performance
Error.captureStackTrace
from webpack errorsv5.38.1
Compare Source
Performance
v5.38.0
Compare Source
Features
new URL("data:...", import.meta.url)
is now supportedmodule.rules[].scheme
as condition to match the request scheme (likedata
,http
, etc.)Bugfixes
Performance
v5.37.1
Compare Source
Bugfixes
Watching.invalidate
,dependencies
andparallelism
of the config array is now respected correctlystats
after the next compilation has startedWatching.suspend
RuleCondition.not
and allow passing a condition directly instead of only an arrayDeveloper Experience
Contributing
v5.37.0
Compare Source
Features
output.trustedTypes
Bugfixes
dependOn
null
in fs callbacksDeveloper Experiences
v5.36.2
Compare Source
Bugfixes
output.clean
is against this assumptionv5.36.1
Compare Source
Performance
cache.profile
(type: "filesystem"
only) flag for more info about (de)serialization timingsv5.36.0
Compare Source
Features
Performance
v5.35.1
Compare Source
Bugfixes
__webpack_exports__ is not defined
error with some library typesperformance
v5.35.0
Compare Source
Bugfixes
#
in pathPerformance
v5.34.0
Compare Source
Features
resolve.extensions
and handle them in this orderpnpapi
as builtin external when usingtarget: "node"
Bugfixes
target: "node"
Performance
Developer Experience
store: 'idle'
from schema descriptionv5.33.2
Compare Source
Bugfix
v5.33.1
Compare Source
Bugfix
this.importModule
v5.33.0
Compare Source
Features
publicPath
per entrypointentry.xxx.publicPath
optionBugfix
executeModule
Performance
export *
and reexportsv5.32.0
Compare Source
Features
.webpack[type]
(e. g..webpack[javascript/auto]
) to specify the default module type when no other module type is specified!=!
inline syntaxBugfixes
Experiments
experiments.executeModule
to allow build-time execution of modules of the module graphthis.importModule(request, options, [callback]): Promise
to the loader contextcompilation.executeModule(request, options, callback)
for pluginsv5.31.2
Compare Source
Bugfixes
v5.31.1
Compare Source
Bugfixes
Memory
Performance
v5.31.0
Compare Source
Features
infrastructureLogging.colors
: Enables/Disables colorful output.infrastructureLogging.appendOnly
: Only appends lines to the output. Avoids updating existing output e. g. for status messages.infrastructureLogging.stream
: Stream used for logging output. Defaults to process.stderr.infrastructureLogging.console
: Custom console used for logging.Bugfixes
exports
field is usedv5.30.0
Compare Source
Features
cache.maxGenerations
whencache.type: "memory"
cache.type: "filesystem"
andmode: "development"
cache.maxMemoryGenerations
whencache.type: "filesystem"
cache.maxAge
cache.maxMemoryGenerations: 0
Bugfixes
GC = Garbage Collection
v5.29.0
Compare Source
Bugfixes
splitChunks.maxSize
which cause too large chunks to be createdstats.groupModulesByType
to the schemaDeveloper Experience
Module/Const/NullDependency
on the APIv5.28.0
Compare Source
Features
module.generator.asset.publicPath
to configure a different publicPath for assetsBugfixes
Performance
v5.27.2
Compare Source
Bugfixes
beforeLoaders
hookexperiments.lazyCompilation
is used (regression)import()
new URL(new URL
generated by worker handingv5.27.1
Compare Source
Bugfix
v5.27.0
Compare Source
Features
utils: { contextify(context, absolutePath), absolutify(context, request) }
to loader contextBugfixes
imports
field handlingv5.26.3
Compare Source
Bugfix
v5.26.2
Compare Source
Bugfixes
v5.26.1
Compare Source
Bugfixes
Set.addAll
polyfill../
when generation the undo path for non-web targetsv5.26.0
Compare Source
Features
DefinePlugin.runtimeValue
(file/context/missing/buildDependencies, version)Bugfixes
v5.25.1
Compare Source
Bugfixes
type: "module"
for Workers when generating classic scriptsv5.25.0
Compare Source
Features
__webpack_runtime_id__
to access the current runtime idoutput.strictModuleErrorHandling
to opt into stricter evaluation error handling semantics according to ESM specnew URL()
this will result in an url to a empty file ("data:,"
)module.generator.asset.emit
option to disable creating assets from asset modules (e. g. for SSR)Bugfixes
splitChunks.maxSize
where negative indicies are accessedsplitChunks.maxSize
in some cases when multiple size types are involvedDeprecations
output.strictModuleExceptionHandling
(this is the CommonJS way of handling errors, and the name is weird)v5.24.4
Compare Source
Bugfixes
externals
"..."
in array configuration options when it's not at the startv5.24.3
Compare Source
Bugfixes
v5.24.2
Compare Source
Bugfixes
modifiedFiles
andremovedFiles
were undefinedv5.24.1
Compare Source
Performance
Developer Experience
v5.24.0
Compare Source
Bugfixes
export *
that point to the same exportexperiments.lazyCompilation: true
. It now has an effect.Developer Experience
Watching
typeContribution
Performance
v5.23.0
Compare Source
Features
parserOptions.url: "relative"
optionnew URL
(e. g. for SSG/SSR)Bugfixes
Developer Experience
v5.22.0
Compare Source
Features
'...'
string instead of"..."
(only affects output side when not minimized)dependencies
configuration option now works for watch builds toodependencies
has changeddependencies
have finishedparallelism
config option on the array of configurations to limit the compilers that are running in parallelDeveloper Experience
Did you mean ...
) to resolve errors whenConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.