New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency webpack to ~5.76.0 [security] #60
Open
renovate-bot
wants to merge
1
commit into
googleapis:main
Choose a base branch
from
renovate-bot:renovate/npm-webpack-vulnerability
base: main
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
fix(deps): update dependency webpack to ~5.76.0 [security] #60
renovate-bot
wants to merge
1
commit into
googleapis:main
from
renovate-bot:renovate/npm-webpack-vulnerability
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
trusted-contributions-gcf
bot
added
the
kokoro:force-run
Add this label to force Kokoro to re-run the tests.
label
Aug 3, 2023
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
August 9, 2023 13:47
836683f
to
b2b4834
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.76.0 [security]
fix(deps): update dependency webpack to ~5.88.0 [security]
Aug 9, 2023
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.88.0 [security]
fix(deps): update dependency webpack to ~5.76.0 [security]
Aug 9, 2023
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
August 9, 2023 18:13
b2b4834
to
6f8f966
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.76.0 [security]
fix(deps): update dependency webpack to ~5.88.0 [security]
Aug 22, 2023
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
2 times, most recently
from
August 22, 2023 23:26
e4e1aa6
to
bcf13d3
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.88.0 [security]
fix(deps): update dependency webpack to ~5.76.0 [security]
Aug 22, 2023
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
August 27, 2023 10:18
bcf13d3
to
1f5bd8f
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.76.0 [security]
fix(deps): update dependency webpack to ~5.88.0 [security]
Aug 27, 2023
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
August 27, 2023 14:51
1f5bd8f
to
48c5a7c
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.88.0 [security]
fix(deps): update dependency webpack to ~5.76.0 [security]
Aug 27, 2023
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.76.0 [security]
fix(deps): update dependency webpack to ~5.88.0 [security]
Sep 19, 2023
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
September 19, 2023 15:12
48c5a7c
to
0a80e9a
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.88.0 [security]
fix(deps): update dependency webpack to ~5.76.0 [security]
Sep 19, 2023
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
September 19, 2023 18:33
0a80e9a
to
4333761
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.76.0 [security]
fix(deps): update dependency webpack to ~5.88.0 [security]
Oct 1, 2023
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
October 1, 2023 08:25
4333761
to
a00f34e
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.88.0 [security]
fix(deps): update dependency webpack to ~5.76.0 [security]
Oct 1, 2023
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
October 1, 2023 09:31
a00f34e
to
eae63ad
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.76.0 [security]
fix(deps): update dependency webpack to ~5.88.0 [security]
Oct 9, 2023
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
October 9, 2023 10:16
eae63ad
to
11d0ec4
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.88.0 [security]
fix(deps): update dependency webpack to ~5.76.0 [security]
Oct 9, 2023
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
2 times, most recently
from
October 15, 2023 09:22
996db34
to
131a6d6
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.76.0 [security]
fix(deps): update dependency webpack to ~5.89.0 [security]
Oct 15, 2023
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.89.0 [security]
fix(deps): update dependency webpack to ~5.76.0 [security]
Oct 15, 2023
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.90.0 [security]
fix(deps): update dependency webpack to ~5.76.0 [security]
Mar 12, 2024
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.76.0 [security]
fix(deps): update dependency webpack to ~5.90.0 [security]
Mar 20, 2024
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
2 times, most recently
from
March 20, 2024 16:42
0b67bb8
to
02b0e68
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.90.0 [security]
fix(deps): update dependency webpack to ~5.76.0 [security]
Mar 20, 2024
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
March 24, 2024 14:45
02b0e68
to
09a30df
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.76.0 [security]
fix(deps): update dependency webpack to ~5.91.0 [security]
Mar 24, 2024
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
March 24, 2024 17:40
09a30df
to
c84b2a6
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.91.0 [security]
fix(deps): update dependency webpack to ~5.76.0 [security]
Mar 24, 2024
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
April 1, 2024 19:55
c84b2a6
to
e74586c
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.76.0 [security]
fix(deps): update dependency webpack to ~5.91.0 [security]
Apr 1, 2024
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
April 1, 2024 21:29
e74586c
to
25db362
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.91.0 [security]
fix(deps): update dependency webpack to ~5.76.0 [security]
Apr 1, 2024
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
April 14, 2024 09:40
25db362
to
bf6c3d3
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.76.0 [security]
fix(deps): update dependency webpack to ~5.91.0 [security]
Apr 14, 2024
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.91.0 [security]
fix(deps): update dependency webpack to ~5.76.0 [security]
Apr 14, 2024
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
2 times, most recently
from
April 21, 2024 08:48
201a2e4
to
0b49c5a
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.76.0 [security]
fix(deps): update dependency webpack to ~5.91.0 [security]
Apr 21, 2024
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
April 21, 2024 09:11
0b49c5a
to
e63f6dc
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.91.0 [security]
fix(deps): update dependency webpack to ~5.76.0 [security]
Apr 21, 2024
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
April 25, 2024 07:19
e63f6dc
to
72353ee
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.76.0 [security]
fix(deps): update dependency webpack to ~5.91.0 [security]
Apr 25, 2024
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
April 25, 2024 09:40
72353ee
to
76170ce
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.91.0 [security]
fix(deps): update dependency webpack to ~5.76.0 [security]
Apr 25, 2024
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
May 1, 2024 10:05
76170ce
to
0a1fd96
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.76.0 [security]
fix(deps): update dependency webpack to ~5.91.0 [security]
May 1, 2024
renovate-bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
May 1, 2024 13:43
0a1fd96
to
290169b
Compare
renovate-bot
changed the title
fix(deps): update dependency webpack to ~5.91.0 [security]
fix(deps): update dependency webpack to ~5.76.0 [security]
May 1, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
~5.35.1
->~5.76.0
GitHub Vulnerability Alerts
CVE-2023-28154
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Release Notes
webpack/webpack (webpack)
v5.76.0
Compare Source
Bugfixes
generatedCode
info to fix bug in asset module cache restoration by @ryanwilsonperkin in https://github.com/webpack/webpack/pull/16703hashRegExp
lookup by @ryanwilsonperkin in https://github.com/webpack/webpack/pull/16759Features
target
toLoaderContext
type by @askoufis in https://github.com/webpack/webpack/pull/16781Security
Repo Changes
New Contributors
Full Changelog: webpack/webpack@v5.75.0...v5.76.0
v5.75.0
Compare Source
Bugfixes
experiments.*
normalize tofalse
when opt-outNaN%
window
before trying to access iteval-nosources-*
actually exclude sourcesFeatures
@import
to extenal CSS when using experimental CSS in nodei64
support to the deprecated WASM implementationDeveloper Experience
EnableWasmLoadingPlugin
v5.74.0
Compare Source
Features
resolve.extensionAlias
option which allows to alias extensions.js
extension to imports when the file really has a.ts
extension (typescript +"type": "module"
)ProvidePlugin
Bugfixes
shareScope
option forModuleFederationPlugin
"use-credentials"
also for same origin scriptsPerformance
Extensibility
HarmonyImportDependency
for pluginsv5.73.0
Compare Source
Features
dynamicImportMode
and prefetch and preloadimport { createRequire } from "module"
in source codeBugfixes
return"field"in Module
Developer Experience
PathData
in typingsv5.72.1
Compare Source
Bugfixes
__webpack_nonce__
with HMRin
operator in some casesthis.importModule
v5.72.0
Compare Source
Features
Bugfixes
in
operator with nested exportsv5.71.0
Compare Source
Features
uniqueName
when using aoutput.library
which includes placeholdersin
of a imported bindingBugfixes
chunkLoading
option in module moduleevaluateExpression
returnsnull
lazy-once
Context modulesrunAsChild
callbackv5.70.0
Compare Source
Features
baseUri
toentry
options to configure a static base uri (the base ofnew URL()
)__webpack_exports_info__.name.canMangle
experiments.buildHttp
import.meta.webpackContext
as ESM alternative torequire.context
Bugfixes
global
to a variableexperiments.outputModule
andloaderContext.importModule
with multiple chunksoutput.clean
will keep HMR assets for at least 10s to allow HMR to access them even when compilation is faster then the browserPerformance
Developer Experience
Contributing
v5.69.1
Compare Source
Revert
v5.69.0
Compare Source
Features
resolve.alias
orresolve.modules
) when creating an context moduleutil/types
to node.js built-in modules__webpack_exports_info__.<name>.canMangle
apiBugfixes
stage
option when instrumenting plugins for the ProfilingPlugin#
in paths of loadersexperiments.buildHttp
Contributing
Developer Experience
v5.68.0
Compare Source
Features
__webpack_module__
and__webpack_module__.id
to the apiBugfixes
v5.67.0
Compare Source
Features
experiments.css
SyncModuleIdsPlugin
to sync module ids between server and client compilationDeterministicModuleIdsPlugin
to allow to generate equal idsDeveloper Experience
null
to errors in callbacksBugfixes
experiments.css
|
webpack-hot-middleware/client
from lazy compilationContributing
v5.66.0
Compare Source
Features
output.library.type: "commonjs-static"
to emit a statically analyse-able commonjs module (for node.js esm interop support)experiments.css
(very experimental)Bugfixes
experiments.lazyCompilation
[absolute-resource-path]
for SourceMap module namingPerformance
watchOptions.aggregateTimeout
to 20msv5.65.0
Compare Source
Features
undefined
nowBugfixes
singleton
flag withoutrequiredVersion
in Module Federationwatchpack
for context time info bugfixPerformance
Developer Experience
output.globalObject
contains a non-trival expressionscript
type external with invalid syntaxResolver
,StatsOptions
andResolvePluginInstance
Preparations for the future
hashDigestLength
will default to 16 in webpack 6 (experiments.futureDefaults
)v5.64.4
Compare Source
Bugfixes
Performance
Developer Experience
v5.64.3
Compare Source
Performance
Infinity
is used in configurationv5.64.2
Compare Source
Bugfixes
v5.64.1
Compare Source
Bugfixes
require(...).property
inrequire.ensure
output.clean: true
unsafeCache
withinmanagedPaths
(node_modules)v5.64.0
Compare Source
Features
asyncChunks: boolean
option to disable creation of async chunksBugfixes
experiments.backCompat: false
Performance
v5.63.0
Compare Source
Features
chunkLoading: false
to disable on-demand loadingBugfixes
import 'single-quote'
in esm build dependenciesv5.62.2
Compare Source
Bugfixes
__system_context__
injection when using thelibrary
option on entrypointexportsPresence: "error"
by default infutureDefaults
exportPresence
->exportsPresence
typoexperiments.cacheUnaffected
v5.62.1
Compare Source
Bugfix
;
v5.62.0
Compare Source
Features
parser.javascript.reexportExportsPresence: false
allows to disable warnings for non-existing exports during the migration fromexport ... from "..."
toexport type ... from "..."
for type reexports in TypeScriptexperiments.backCompat: false
to disable some expensive deprecations for better performanceBugfixes
['catch']
instead of.catch
for better ES3 supportnew (require("...")).Something()
{ require }
object literalssplitChunks.chunks
option is now correctly used forsplitChunks.fallbackCacheGroup.maxSize
toolisten
option, allow to omitport
Developer Experience
/// <reference types="webpack/module" />
to use the typings in typescript modules"types": [..., "webpack/module"]
in tsconfigv5.61.0
Compare Source
Bugfixes
path
submodules in the node.js default externalsPerformance
Contribution
v5.60.0
Compare Source
Features
experiments.lazyCompilation
. e. g. port, https stuffBugfixes
output.hashFunction
used to persistent caching toobuildDependencies
Set correctly when loaders are added inbeforeLoaders
hookv5.59.1
Compare Source
Bugfixes
experiments.buildHttp
v5.59.0
Compare Source
Features
/*#__PURE__*/
forObject()
in generated codemanaged/immutablePaths
experiments.buildHttp
splitChunks.minSizeReduction
optionBugfixes
waitFor
when modules are unsafe cachedv5.58.2
Compare Source
Bugfixes
Performance
v5.58.1
Compare Source
Bugfixes
.webpack[]
suffix to not execute rulesv5.58.0
Compare Source
Features
diagnostics_channel
to node builtinsPerformance
v5.57.1
Compare Source
Bugfix
v5.57.0
Compare Source
Performance
Bugfixes
v5.56.1
Compare Source
Bugfix
v5.56.0
Compare Source
Performance
v5.55.1
Compare Source
Bugfixes
experiments.cacheUnaffected
v5.55.0
Compare Source
Performance
experiments.cacheUnaffected
module.unsafeCache
v5.54.0
Compare Source
Features
&&
||
and??
output.hashFunction
eval
is used in a moduleBugfixes
Performance
output.hashFunction: "xxhash64"
for a super fast wasm based hash functionexperiments.cacheUnaffected
which caches computations for modules that are unchanged and reference only unchanged modulesv5.53.0
Compare Source
Features
node.__dirname/__filename: "warn-mock"
which warns on usage (will be enabled in webpack 6 by default)Bugfixes
stream/web
to Node.js externalsExperiments
experiments.futureDefaults
to enable defaults for webpack 6v5.52.1
Compare Source
Performance
v5.52.0
Compare Source
Feature
experiments.executeModule
is enabled by default and the option is removedthis.importModule
Bugfixes
__WEBPACK_EXTERNAL_MODULE_null__
, which leads to merged externals.webpack[...]
extension is not part of matching and module namev5.51.2
Compare Source
Bugfixes
[contenthash]
is undefined when usingnew Worker
v5.51.1
Compare Source
Bugfixes
library: "module"
propages top-level-await correctlyv5.51.0
Compare Source
Bugfixes
yarn link
ing of dependencies.Compilation.addModuleChain
andCompilation.addModuleTree
v5.50.0
Compare Source
Features
#! ...
) are now handled by webpackPerformance
v5.49.0
Compare Source
Features
experiments.buildHttp
to buildhttp(s)://
imports instead of keeping them externalwebpack.lock
file with integrity andwebpack.lock.data
with cached content that should be committed(might be disabled with
experiments.buildHttp.upgrade: false
)(exception:
Cache-Control: no-cache
).webpack.lock.data
persisting can be disabled withexperiments.buildHttp.cacheLocation: false
.That will will introduce a availability risk.
(webpack cache will be used to cache network responses)
Bugfixes
splitChunks.maxSize
introduces in the last releasebail
is setPerformance
v5.48.0
Compare Source
Features
Bugfixes
v5.47.1
Compare Source
Bugfixes
v5.47.0
Compare Source
Performance
Bugfixes
"use strict"
s in module modev5.46.0
Compare Source
Features
stats.reasonsSpace
andstats.groupReasonsByOrigin
Bugfixes
Performance
v5.45.1
Compare Source
Bugfixes
assert
in other placesimport(/* webpackPrefetch: true */ ...)
no longer breaks library outputv5.45.0
Compare Source
Features
Bugfixes
.cjs
output filesPerformance
Contributing
v5.44.0
Compare Source
Features
output.module
+optimization.runtimeChunk
Bugfixes
v5.43.0
Compare Source
Features
runtime: false
in entry description to disable runtime chunkruntime
option in ModuleFederationPlugin and ContainerPluginBugfixes
"module"
externals when concatenatedPerformance
v5.42.1
Compare Source
Bugfixes
jsonData
ordataUrl
of undefinedv5.42.0
Compare Source
Features
cache.compression
Bugfixes
node-commonjs
to schema forexternalsType
system
externalsPerformance
v5.41.1
Compare Source
Bugfixes
Performance
v5.41.0
Compare Source
Features
cache.idleTimeoutAfterLargeChanges
to control thatBugfixes
Experiments
experiments.outputModule: true
)output.library.type: "module"
: very basic support, no live bindings, unnecessary runtime codeoutput.chunkLoading: "import"
output.chunkFormat: "module"
externalsType: "module"
generates nowimport * as X from "..."
(in a module) orimport("...")
(in a script)import { createRequire } from "module"
in a modulenew Worker
etc. sets `type: "module"v5.40.0
Compare Source
Features
node:
prefixed requests as node.js externalsinstanceof Promise
in favor ofp && typeof p.then === "function"
to allow mixing different Promise implementionsBugfixes
Performance
Developer Experience
Buffer
inthis.emitFile
typings (loader context)reset
cli argument descriptionv5.39.1
Compare Source
Bugfixes
v5.39.0
Compare Source
Features
import()
context (import with expression)Bugfixes
cache.allowCollectingMemory
Performance
Error.captureStackTrace
from webpack errorsv5.38.1
Compare Source
Performance
v5.38.0
Compare Source
Features
new URL("data:...", import.meta.url)
is now supportedmodule.rules[].scheme
as condition to match the request scheme (likedata
,http
, etc.)Bugfixes
Performance
v5.37.1
Compare Source
Bugfixes
Watching.invalidate
,dependencies
andparallelism
of the config array is now respected correctlystats
after the next compilation has startedWatching.suspend
RuleCondition.not
and allow passing a condition directly instead of only an arrayDeveloper Experience
Contributing
v5.37.0
Compare Source
Features
output.trustedTypes
Bugfixes
dependOn
null
in fs callbacksDeveloper Experiences
v5.36.2
Compare Source
Bugfixes
output.clean
is against this assumptionv5.36.1
Compare Source
Performance
cache.profile
(type: "filesystem"
only) flag for more info about (de)serialization timingsv5.36.0
Compare Source
Features
Performance
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.