Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade webpack from 5.22.0 to 5.74.0 #34

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Upgrade webpack from 5.22.0 to 5.74.0 #34

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link

Snyk has created this PR to upgrade webpack from 5.22.0 to 5.74.0.

merge advice
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 93 versions ahead of your current version.
  • The recommended version was released a month ago, on 2022-07-25.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Regular Expression Denial of Service (ReDoS)
npm:underscore.string:20170908		 375/1000
Why? CVSS 7.5		 No Known Exploit
Improper Input Validation
SNYK-JS-URLPARSE-2407770		 375/1000
Why? CVSS 7.5		 Proof of Concept
Arbitrary File Write
SNYK-JS-TAR-1579155		 375/1000
Why? CVSS 7.5		 No Known Exploit
Arbitrary File Write
SNYK-JS-TAR-1579152		 375/1000
Why? CVSS 7.5		 No Known Exploit
Arbitrary File Write
SNYK-JS-TAR-1579147		 375/1000
Why? CVSS 7.5		 No Known Exploit
Arbitrary File Overwrite
SNYK-JS-TAR-1536531		 375/1000
Why? CVSS 7.5		 No Known Exploit
Arbitrary File Overwrite
SNYK-JS-TAR-1536528		 375/1000
Why? CVSS 7.5		 No Known Exploit
Remote Code Execution (RCE)
SNYK-JS-PACRESOLVER-1564857		 375/1000
Why? CVSS 7.5		 Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-NTHCHECK-1586032		 375/1000
Why? CVSS 7.5		 Proof of Concept
Server-side Request Forgery (SSRF)
SNYK-JS-NETMASK-1089716		 375/1000
Why? CVSS 7.5		 Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-MOMENT-2944238		 375/1000
Why? CVSS 7.5		 Proof of Concept
Directory Traversal
SNYK-JS-MOMENT-2440688		 375/1000
Why? CVSS 7.5		 No Known Exploit
Command Injection
SNYK-JS-LODASH-1040724		 375/1000
Why? CVSS 7.5		 Proof of Concept
Improper Verification of Cryptographic Signature
SNYK-JS-JSRSASIGN-2869122		 375/1000
Why? CVSS 7.5		 Proof of Concept
Prototype Pollution
SNYK-JS-JSONSCHEMA-1920922		 375/1000
Why? CVSS 7.5		 No Known Exploit
Prototype Pollution
SNYK-JS-GETOBJECT-1054932		 375/1000
Why? CVSS 7.5		 No Known Exploit
Remote Code Execution (RCE)
SNYK-JS-EJS-2803307		 375/1000
Why? CVSS 7.5		 Proof of Concept
Remote Memory Exposure
SNYK-JS-DNSPACKET-1293563		 375/1000
Why? CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-AXIOS-1579269		 375/1000
Why? CVSS 7.5		 Proof of Concept
Prototype Pollution
SNYK-JS-ASYNC-2441827		 375/1000
Why? CVSS 7.5		 Proof of Concept
Prototype Pollution
SNYK-JS-ASYNC-2441827		 375/1000
Why? CVSS 7.5		 Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIHTML-1296849		 375/1000
Why? CVSS 7.5		 Proof of Concept
Authorization Bypass Through User-Controlled Key
SNYK-JS-URLPARSE-2412697		 375/1000
Why? CVSS 7.5		 Proof of Concept
Authorization Bypass
SNYK-JS-URLPARSE-2407759		 375/1000
Why? CVSS 7.5		 Proof of Concept
Access Restriction Bypass
SNYK-JS-URLPARSE-2401205		 375/1000
Why? CVSS 7.5		 Proof of Concept
Open Redirect
SNYK-JS-URLPARSE-1533425		 375/1000
Why? CVSS 7.5		 Proof of Concept
Improper Input Validation
SNYK-JS-URLPARSE-1078283		 375/1000
Why? CVSS 7.5		 No Known Exploit
Arbitrary Code Injection
SNYK-JS-UNDERSCORE-1080984		 375/1000
Why? CVSS 7.5		 Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-UGLIFYJS-1727251		 375/1000
Why? CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-TERSER-2806366		 375/1000
Why? CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-TERSER-2806366		 375/1000
Why? CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-POSTCSS-1090595		 375/1000
Why? CVSS 7.5		 Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-PATHPARSE-1077067		 375/1000
Why? CVSS 7.5		 Proof of Concept
Information Exposure
SNYK-JS-NODEFETCH-2342118		 375/1000
Why? CVSS 7.5		 No Known Exploit
Information Exposure
SNYK-JS-NANOID-2332193		 375/1000
Why? CVSS 7.5		 Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-MARKDOWNIT-2331914		 375/1000
Why? CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905		 375/1000
Why? CVSS 7.5		 Proof of Concept
Cryptographic Weakness
SNYK-JS-JSRSASIGN-1244072		 375/1000
Why? CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-I-1726768		 375/1000
Why? CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-HOSTEDGITINFO-1088355		 375/1000
Why? CVSS 7.5		 Proof of Concept
Race Condition
SNYK-JS-GRUNT-2813632		 375/1000
Why? CVSS 7.5		 Proof of Concept
Directory Traversal
SNYK-JS-GRUNT-2635969		 375/1000
Why? CVSS 7.5		 Proof of Concept
Information Exposure
SNYK-JS-FOLLOWREDIRECTS-2332181		 375/1000
Why? CVSS 7.5		 Proof of Concept
Information Exposure
SNYK-JS-EVENTSOURCE-2823375		 375/1000
Why? CVSS 7.5		 Proof of Concept
Cryptographic Issues
SNYK-JS-ELLIPTIC-1064899		 375/1000
Why? CVSS 7.5		 No Known Exploit
Arbitrary Code Injection
SNYK-JS-EJS-1049328		 375/1000
Why? CVSS 7.5		 Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-BROWSERSLIST-1090194		 375/1000
Why? CVSS 7.5		 Proof of Concept
Uninitialized Memory Exposure
npm:utile:20180614		 375/1000
Why? CVSS 7.5		 No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-TAR-1536758		 375/1000
Why? CVSS 7.5		 No Known Exploit
Prototype Pollution
SNYK-JS-MINIMIST-2429795		 375/1000
Why? CVSS 7.5		 Proof of Concept
Information Exposure
SNYK-JS-FOLLOWREDIRECTS-2396346		 375/1000
Why? CVSS 7.5		 No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: webpack
  • 5.74.0 - 2022-07-25

    Features

    • add resolve.extensionAlias option which allows to alias extensions
      • This is useful when you are forced to add the .js extension to imports when the file really has a .ts extension (typescript + "type": "module")
    • add support for ES2022 features like static blocks
    • add Tree Shaking support for ProvidePlugin

    Bugfixes

    • fix persistent cache when some build dependencies are on a different windows drive
    • make order of evaluation of side-effect-free modules deterministic between concatenated and non-concatenated modules
    • remove left-over from debugging in TLA/async modules runtime code
    • remove unneeded extra 1s timestamp offset during watching when files are actually untouched
      • This sometimes caused an additional second build which are not really needed
    • fix shareScope option for ModuleFederationPlugin
    • set "use-credentials" also for same origin scripts

    Performance

    • Improve memory usage and performance of aggregating needed files/directories for watching
      • This affects rebuild performance

    Extensibility

    • export HarmonyImportDependency for plugins
  • 5.73.0 - 2022-06-02

    Features

    • add options for default dynamicImportMode and prefetch and preload
    • add support for import { createRequire } from "module" in source code

    Bugfixes

    • fix code generation of e. g. return"field"in Module
    • fix performance of large JSON modules
    • fix performance of async modules evaluation

    Developer Experience

    • export PathData in typings
    • improve error messages with more details
  • 5.72.1 - 2022-05-10

    Bugfixes

    • fix __webpack_nonce__ with HMR
    • fix in operator in some cases
    • fix json parsing error messages
    • fix module concatenation with using this.importModule
    • upgrade enhanced-resolve
  • 5.72.0 - 2022-04-07

    Features

    • make cache warnings caused by build errors less verbose
    • Allow banner to be placed as a footer with the BannerPlugin
    • allow to concatenate asset modules

    Bugfixes

    • fix RemoteModules when using HMR (Module Federation + HMR)
    • throw error when using module concatenation and cacheUnaffected
    • fix in operator with nested exports
  • 5.71.0 - 2022-04-01

    Features

    • choose smarter default for uniqueName when using a output.library which includes placeholders
    • add support for expressions with in of a imported binding
    • generate UMD code with arrow functions when possible

    Bugfixes

    • fix source map source names for ContextModule to be relative
    • fix chunkLoading option in module module
    • fix edge case where evaluateExpression returns null
    • retain optional chaining in imported bindings
    • include runtime code for the base URI even if not using chunk loading
    • don't throw errors in persistent caching when importing node.js builtin modules via ESM
    • fix crash when using lazy-once Context modules
    • improve handling of context modules with multiple contexts
    • fix race condition HMR chunk loading when importing chunks during HMR updating
    • handle errors in runAsChild callback
  • 5.70.0 - 2022-03-03

    Features

    • update node.js version constraints for ESM support
    • add baseUri to entry options to configure a static base uri (the base of new URL())
    • alphabetically sort exports in namespace objects when possible
    • add __webpack_exports_info__.name.canMangle
    • add proxy support to experiments.buildHttp
    • import.meta.webpackContext as ESM alternative to require.context
    • handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module

    Bugfixes

    • fix problem when assigning global to a variable
    • fix crash when using experiments.outputModule and loaderContext.importModule with multiple chunks
    • avoid generating progress output before the compilation has started (ProgressPlugin)
    • fix handling of non-static-ESM dependencies with using TLA and HMR in the same module
    • include the asset module filename in hashing
    • output.clean will keep HMR assets for at least 10s to allow HMR to access them even when compilation is faster then the browser

    Performance

    • fix asset caching when using the BannerPlugin

    Developer Experience

    • improve typings

    Contributing

    • capture caching errors when running the test suite
  • 5.69.1 - 2022-02-17

    Revert

    • revert "handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module"
  • 5.69.0 - 2022-02-15

    Features

    • automatically switch to an ESM compatible environment when enabling ESM output mode
    • handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module
    • add util/types to node.js built-in modules
    • add __webpack_exports_info__.<name>.canMangle api

    Bugfixes

    • fix bug in chunk graph generation which leads to modules being included in chunk desprite them being already included in parent chunks
    • avoid writing more than 2GB at once during cache serialization (as workaround for node.js/libuv bug on MacOS)
    • fix handling of whitespaces in semver ranges when using Module Federation
    • avoid generating hashes which contain only numbers as they likely conflict with module ids
    • fix resource name based placeholders for data uris
    • fix cache serialization for context elements
    • fix passing of stage option when instrumenting plugins for the ProfilingPlugin
    • fix tracking of declarations in concatenated modules to avoid conflicts
    • fix unstable mangling of exports
    • fix handling of # in paths of loaders
    • avoid unnecessary cache update when using experiments.buildHttp

    Contributing

    • update typescript and jest

    Developer Experience

    • expose some additional typings for usage in webpack-cli
  • 5.68.0 - 2022-01-31

    Features

    • allow to disable compile time evaluation of import.meta.url
    • add __webpack_module__ and __webpack_module__.id to the api

    Bugfixes

    • fix handling of errors thrown in async modules
  • 5.67.0 - 2022-01-21

    Features

    • add 'outputPath' configuration option for resource asset modules
    • support Trusted Types in eval source maps
    • experiments.css
      • allow to generate only exports for css in node
      • add SyncModuleIdsPlugin to sync module ids between server and client compilation
      • add more options to the DeterministicModuleIdsPlugin to allow to generate equal ids

    Developer Experience

    • limit data url module name in stats printer
    • allow specific description for CLI options
    • improve space limiting algorithm in stats printing to show partial lists
    • add null to errors in callbacks
    • fix call signature types of addChunkInGroup

    Bugfixes

    • avoid reporting non-existant package.jsons as dependencies
    • experiments.css
      • fix missing css runtime when only initial css is used
      • fix css hmr support
      • bugfixes to css modules
    • fix cache serialization for CreateScriptUrlDependency
    • fix data url content when processed by a loader
    • fix regexp in identifiers that include |
    • fix ProfilingPlugin for watch scenarios
    • add layer to module names and identifiers
      • this avoid random module id changes when additional modules are added to another layer
    • provide hashFunction parameter to DependencyTemplates to allow customizing it there
    • fix HMR when experiments.lazyCompilation is enabled
    • store url as Buffer to avoid serialization warnings
    • exclude webpack-hot-middleware/client from lazy compilation

    Contributing

    • remove travis configuration
    • improve spell checking
  • 5.66.0 - 2022-01-12
  • 5.65.0 - 2021-12-06
  • 5.64.4 - 2021-11-25
  • 5.64.3 - 2021-11-24
  • 5.64.2 - 2021-11-20
  • 5.64.1 - 2021-11-15
  • 5.64.0 - 2021-11-11
  • 5.63.0 - 2021-11-09
  • 5.62.2 - 2021-11-09
  • 5.62.1 - 2021-11-05
  • 5.62.0 - 2021-11-05
  • 5.61.0 - 2021-10-29
  • 5.60.0 - 2021-10-25
  • 5.59.1 - 2021-10-20
  • 5.59.0 - 2021-10-19
  • 5.58.2 - 2021-10-13
  • 5.58.1 - 2021-10-08
  • 5.58.0 - 2021-10-07
  • 5.57.1 - 2021-10-05
  • 5.57.0 - 2021-10-05
  • 5.56.1 - 2021-10-04
  • 5.56.0 - 2021-10-01
  • 5.55.1 - 2021-09-29
  • 5.55.0 - 2021-09-28
  • 5.54.0 - 2021-09-24
  • 5.53.0 - 2021-09-16
  • 5.52.1 - 2021-09-10
  • 5.52.0 - 2021-09-03
  • 5.51.2 - 2021-09-02
  • 5.51.1 - 2021-08-19
  • 5.51.0 - 2021-08-19
  • 5.50.0 - 2021-08-10
  • 5.49.0 - 2021-08-06
  • 5.48.0 - 2021-08-02
  • 5.47.1 - 2021-07-29
  • 5.47.0 - 2021-07-27
  • 5.46.0 - 2021-07-22
  • 5.45.1 - 2021-07-16
  • 5.45.0 - 2021-07-16
  • 5.44.0 - 2021-07-08
  • 5.43.0 - 2021-07-06
  • 5.42.1 - 2021-07-05
  • 5.42.0 - 2021-07-02
  • 5.41.1 - 2021-06-29
  • 5.41.0 - 2021-06-28
  • 5.40.0 - 2021-06-21
  • 5.39.1 - 2021-06-17
  • 5.39.0 - 2021-06-14
  • 5.38.1 - 2021-05-27
  • 5.38.0 - 2021-05-27
  • 5.37.1 - 2021-05-19
  • 5.37.0 - 2021-05-10
  • 5.36.2 - 2021-04-30
  • 5.36.1 - 2021-04-28
  • 5.36.0 - 2021-04-27
  • 5.35.1 - 2021-04-23
  • 5.35.0 - 2021-04-21
  • 5.34.0 - 2021-04-19
  • 5.33.2 - 2021-04-14
  • 5.33.1 - 2021-04-14
  • 5.33.0 - 2021-04-14
  • 5.32.0 - 2021-04-12
  • 5.31.2 - 2021-04-09
  • 5.31.1 - 2021-04-09
  • 5.31.0 - 2021-04-07
  • 5.30.0 - 2021-04-01
  • 5.29.0 - 2021-04-01
  • 5.28.0 - 2021-03-24
  • 5.27.2 - 2021-03-22
  • 5.27.1 - 2021-03-20
  • 5.27.0 - 2021-03-19
  • 5.26.3 - 2021-03-17
  • 5.26.2 - 2021-03-16
  • 5.26.1 - 2021-03-16
  • 5.26.0 - 2021-03-15
  • 5.25.1 - 2021-03-14
  • 5.25.0 - 2021-03-12
  • 5.24.4 - 2021-03-08
  • 5.24.3 - 2021-03-03
  • 5.24.2 - 2021-02-24
  • 5.24.1 - 2021-02-23
  • 5.24.0 - 2021-02-22
  • 5.23.0 - 2021-02-18
  • 5.22.0 - 2021-02-15
from webpack GitHub release notes
Commit messages
Package name: webpack
  • 8f87b50 5.74.0
  • 3e1f244 Merge pull request #16071 from devinan/patch-1
  • c7e14e2 Merge pull request #15910 from ludofischer/fix-message
  • 7b63346 Merge pull request #15627 from webpack/feat/issue-12441
  • 402d152 Merge pull request #15642 from webpack/set-use-credentials-without-origin-check
  • fcb0e35 Merge pull request #15996 from webdiscus/main
  • 6dc6a19 Merge pull request #16031 from evantd/main
  • 52351a6 Merge pull request #16033 from varunsh-coder/token-perms
  • 555915b Merge pull request #16065 from webpack/fix/issue-16054
  • d4cab5b Merge pull request #16077 from webpack/fix-scheme
  • 6e3e037 Merge pull request #16032 from barak007/export-harmony-import-dependency
  • 767f741 fix webpack scheme
  • da13141 Fix badge : compatibility score
  • 8bfcb69 support import/export name as string literal
  • e9f2195 ci: add GitHub token permissions for workflow
  • e3f6702 feat: export HarmonyImportDependency and generate types
  • 1492735 Pass shareScope through to ContainerPlugin & ContainerReferencePlugin
  • 1132eb3 Merge pull request #15991 from gluxon/cached-Snapshot-iterables
  • 7b3f4c0 test: Check that Snapshot iterables have stable identities
  • 751e123 Use stable identities for Snapshot iterables
  • 21ead2f Merge pull request #15940 from amareshsm/update-package.json
  • b904655 Merge pull request #15834 from snitin315/patch-2
  • 674de92 Merge pull request #15909 from fireairforce/upgrade-watchpack-version
  • f7e2128 Merge pull request #16001 from webpack/up-enhanced-resolve

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@snyk-bot