Skip to content

chore(deps): update dependency webpack to v5.76.0 [security] #183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency webpack to v5.76.0 [security] #183

wants to merge 1 commit into from
+470 −24

Conversation

@renovate
Copy link

@renovate renovate bot commented Aug 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
webpack 5.67.0 -> 5.76.0 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

GitHub Vulnerability Alerts

CVE-2023-28154

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

Release Notes

webpack/webpack (webpack)

v5.76.0

Compare Source

Bugfixes

Features

Security

Repo Changes

New Contributors

Full Changelog: webpack/webpack@v5.75.0...v5.76.0

v5.75.0

Compare Source

Bugfixes

  • experiments.* normalize to false when opt-out
  • avoid NaN%
  • show the correct error when using a conflicting chunk name in code
  • HMR code tests existance of window before trying to access it
  • fix eval-nosources-* actually exclude sources
  • fix race condition where no module is returned from processing module
  • fix position of standalong semicolon in runtime code

Features

  • add support for @import to extenal CSS when using experimental CSS in node
  • add i64 support to the deprecated WASM implementation

Developer Experience

  • expose EnableWasmLoadingPlugin
  • add more typings
  • generate getters instead of readonly properties in typings to allow overriding them

v5.74.0

Compare Source

Features

  • add resolve.extensionAlias option which allows to alias extensions
    • This is useful when you are forced to add the .js extension to imports when the file really has a .ts extension (typescript + "type": "module")
  • add support for ES2022 features like static blocks
  • add Tree Shaking support for ProvidePlugin

Bugfixes

  • fix persistent cache when some build dependencies are on a different windows drive
  • make order of evaluation of side-effect-free modules deterministic between concatenated and non-concatenated modules
  • remove left-over from debugging in TLA/async modules runtime code
  • remove unneeded extra 1s timestamp offset during watching when files are actually untouched
    • This sometimes caused an additional second build which are not really needed
  • fix shareScope option for ModuleFederationPlugin
  • set "use-credentials" also for same origin scripts

Performance

  • Improve memory usage and performance of aggregating needed files/directories for watching
    • This affects rebuild performance

Extensibility

  • export HarmonyImportDependency for plugins

v5.73.0

Compare Source

Features

  • add options for default dynamicImportMode and prefetch and preload
  • add support for import { createRequire } from "module" in source code

Bugfixes

  • fix code generation of e. g. return"field"in Module
  • fix performance of large JSON modules
  • fix performance of async modules evaluation

Developer Experience

  • export PathData in typings
  • improve error messages with more details

v5.72.1

Compare Source

Bugfixes

  • fix __webpack_nonce__ with HMR
  • fix in operator in some cases
  • fix json parsing error messages
  • fix module concatenation with using this.importModule
  • upgrade enhanced-resolve

v5.72.0

Compare Source

Features

  • make cache warnings caused by build errors less verbose
  • Allow banner to be placed as a footer with the BannerPlugin
  • allow to concatenate asset modules

Bugfixes

  • fix RemoteModules when using HMR (Module Federation + HMR)
  • throw error when using module concatenation and cacheUnaffected
  • fix in operator with nested exports

v5.71.0

Compare Source

Features

  • choose smarter default for uniqueName when using a output.library which includes placeholders
  • add support for expressions with in of a imported binding
  • generate UMD code with arrow functions when possible

Bugfixes

  • fix source map source names for ContextModule to be relative
  • fix chunkLoading option in module module
  • fix edge case where evaluateExpression returns null
  • retain optional chaining in imported bindings
  • include runtime code for the base URI even if not using chunk loading
  • don't throw errors in persistent caching when importing node.js builtin modules via ESM
  • fix crash when using lazy-once Context modules
  • improve handling of context modules with multiple contexts
  • fix race condition HMR chunk loading when importing chunks during HMR updating
  • handle errors in runAsChild callback

v5.70.0

Compare Source

Features

  • update node.js version constraints for ESM support
  • add baseUri to entry options to configure a static base uri (the base of new URL())
  • alphabetically sort exports in namespace objects when possible
  • add __webpack_exports_info__.name.canMangle
  • add proxy support to experiments.buildHttp
  • import.meta.webpackContext as ESM alternative to require.context
  • handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module

Bugfixes

  • fix problem when assigning global to a variable
  • fix crash when using experiments.outputModule and loaderContext.importModule with multiple chunks
  • avoid generating progress output before the compilation has started (ProgressPlugin)
  • fix handling of non-static-ESM dependencies with using TLA and HMR in the same module
  • include the asset module filename in hashing
  • output.clean will keep HMR assets for at least 10s to allow HMR to access them even when compilation is faster then the browser

Performance

  • fix asset caching when using the BannerPlugin

Developer Experience

  • improve typings

Contributing

  • capture caching errors when running the test suite

v5.69.1

Compare Source

Revert

  • revert "handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module"

v5.69.0

Compare Source

Features

  • automatically switch to an ESM compatible environment when enabling ESM output mode
  • handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module
  • add util/types to node.js built-in modules
  • add __webpack_exports_info__.<name>.canMangle api

Bugfixes

  • fix bug in chunk graph generation which leads to modules being included in chunk desprite them being already included in parent chunks
  • avoid writing more than 2GB at once during cache serialization (as workaround for node.js/libuv bug on MacOS)
  • fix handling of whitespaces in semver ranges when using Module Federation
  • avoid generating hashes which contain only numbers as they likely conflict with module ids
  • fix resource name based placeholders for data uris
  • fix cache serialization for context elements
  • fix passing of stage option when instrumenting plugins for the ProfilingPlugin
  • fix tracking of declarations in concatenated modules to avoid conflicts
  • fix unstable mangling of exports
  • fix handling of # in paths of loaders
  • avoid unnecessary cache update when using experiments.buildHttp

Contributing

  • update typescript and jest

Developer Experience

  • expose some additional typings for usage in webpack-cli

v5.68.0

Compare Source

Features
  • allow to disable compile time evaluation of import.meta.url
  • add __webpack_module__ and __webpack_module__.id to the api
Bugfixes
  • fix handling of errors thrown in async modules

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch 2 times, most recently from 658ada2 to fe678ea Compare August 28, 2024 09:02
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from fe678ea to 1040993 Compare October 9, 2024 11:06
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from 1040993 to 0df45d1 Compare December 2, 2024 10:26
@renovate renovate bot changed the title chore(deps): update dependency webpack to v5.76.0 [security] chore(deps): update dependency webpack to v5.76.0 [security] - autoclosed Dec 8, 2024
@renovate renovate bot closed this Dec 8, 2024
@renovate renovate bot deleted the renovate/npm-webpack-vulnerability branch December 8, 2024 18:36
@renovate renovate bot changed the title chore(deps): update dependency webpack to v5.76.0 [security] - autoclosed chore(deps): update dependency webpack to v5.76.0 [security] Dec 8, 2024
@renovate renovate bot reopened this Dec 8, 2024
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch 2 times, most recently from 0df45d1 to 32b52fd Compare December 9, 2024 02:17
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch 2 times, most recently from 7421c51 to f19eae7 Compare January 30, 2025 17:35
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from f19eae7 to 79e67ee Compare February 9, 2025 12:34
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from 79e67ee to 54f2478 Compare March 3, 2025 15:38
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch 3 times, most recently from 6af4cff to 968185e Compare March 17, 2025 12:37
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from 968185e to 5ea1eae Compare April 1, 2025 11:19
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from 5ea1eae to ed76b50 Compare April 8, 2025 13:36
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from ed76b50 to 89657da Compare April 24, 2025 06:44
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from 89657da to 1bc8018 Compare May 19, 2025 16:03
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch 2 times, most recently from 13c467d to b69e1f3 Compare June 4, 2025 06:28
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from b69e1f3 to c6e992c Compare June 22, 2025 13:31
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from c6e992c to dd2c874 Compare July 2, 2025 18:47
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch 2 times, most recently from 31df461 to 1050d30 Compare August 13, 2025 16:14
@renovate renovate bot changed the title chore(deps): update dependency webpack to v5.76.0 [security] chore(deps): update dependency webpack to v5.94.0 [security] Aug 13, 2025
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from 1050d30 to d8f5eb6 Compare August 19, 2025 19:42
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from d8f5eb6 to bae3d7b Compare August 31, 2025 10:04
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from bae3d7b to ee76d14 Compare September 25, 2025 14:17
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from ee76d14 to 2d9970c Compare October 15, 2025 22:27
@renovate renovate bot changed the title chore(deps): update dependency webpack to v5.94.0 [security] chore(deps): update dependency webpack to v5.76.0 [security] Oct 15, 2025
@renovate renovate bot force-pushed the renovate/npm-webpack-vulnerability branch from 2d9970c to ee0ebad Compare October 21, 2025 17:14
@renovate
Copy link
Author

renovate bot commented Nov 11, 2025
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
➤ YN0000: ┌ Resolution step
➤ YN0002: │ @commitlint/load@npm:16.1.0 doesn't provide @types/node (p28edd), requested by cosmiconfig-typescript-loader
➤ YN0002: │ @drizzle-http/example-nestjs@workspace:examples/nestjs doesn't provide typescript (p59e73), requested by @nestjs/schematics
➤ YN0002: │ @drizzle-http/example-react@workspace:examples/react doesn't provide webpack (p1ed42), requested by babel-loader
➤ YN0002: │ @drizzle-http/example-react@workspace:examples/react doesn't provide webpack (p43d50), requested by clean-webpack-plugin
➤ YN0002: │ @drizzle-http/example-react@workspace:examples/react doesn't provide webpack (pd3749), requested by html-webpack-plugin
➤ YN0002: │ @drizzle-http/example-react@workspace:examples/react doesn't provide webpack (pc82c0), requested by webpack-dev-server
➤ YN0002: │ webpack-dev-server@npm:4.7.3 [1cf60] doesn't provide @types/express (p93524), requested by http-proxy-middleware
➤ YN0002: │ webpack-dev-server@npm:4.7.3 [ee916] doesn't provide @types/express (pf59c4), requested by http-proxy-middleware
➤ YN0000: │ Some peer dependencies are incorrectly met; run yarn explain peer-requirements <hash> for details, where <hash> is the six-letter p-prefixed code
➤ YN0000: └ Completed in 1s 258ms
➤ YN0000: ┌ Fetch step
➤ YN0001: │ TypeError: resolve@patch:resolve@npm%3A1.19.0#~builtin<compat/resolve>::version=1.19.0&hash=07638b: (0 , QO.isDate) is not a function
    at ihe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:10860)
    at Jr.utimesImpl (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28773)
    at Jr.utimesSync (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28366)
    at Jr.utimesPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28236)
    at Jr.mkdirpPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:12970)
    at async pO (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:7174)
    at async Jr.copyPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:13674)
    at async /tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1676
    at async Object.kEe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:382:3934)
    at async RM.patchPackage (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1636)
➤ YN0001: │ TypeError: resolve@patch:resolve@npm%3A1.22.0#~builtin<compat/resolve>::version=1.22.0&hash=07638b: (0 , QO.isDate) is not a function
    at ihe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:10860)
    at Jr.utimesImpl (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28773)
    at Jr.utimesSync (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28366)
    at Jr.utimesPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28236)
    at Jr.mkdirpPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:12970)
    at async pO (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:7174)
    at async Jr.copyPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:13674)
    at async /tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1676
    at async Object.kEe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:382:3934)
    at async RM.patchPackage (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1636)
➤ YN0001: │ TypeError: typescript@patch:typescript@npm%3A4.5.4#~builtin<compat/typescript>::version=4.5.4&hash=493e53: (0 , QO.isDate) is not a function
    at ihe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:10860)
    at Jr.utimesImpl (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28773)
    at Jr.utimesSync (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28366)
    at Jr.utimesPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28236)
    at Jr.mkdirpPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:12970)
    at async pO (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:7174)
    at async Jr.copyPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:13674)
    at async /tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1676
    at async Object.kEe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:382:3934)
    at async RM.patchPackage (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1636)
➤ YN0001: │ TypeError: typescript@patch:typescript@npm%3A4.5.5#~builtin<compat/typescript>::version=4.5.5&hash=493e53: (0 , QO.isDate) is not a function
    at ihe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:10860)
    at Jr.utimesImpl (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28773)
    at Jr.utimesSync (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28366)
    at Jr.utimesPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28236)
    at Jr.mkdirpPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:12970)
    at async pO (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:7174)
    at async Jr.copyPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:13674)
    at async /tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1676
    at async Object.kEe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:382:3934)
    at async RM.patchPackage (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1636)
➤ YN0013: │ 2010 packages were already cached, 52 had to be fetched
➤ YN0000: └ Completed in 3s 1ms
➤ YN0000: Failed with errors in 4s 263ms

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant