Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Release Notes
webpack/webpack
### [`v5.76.0`](https://togithub.com/webpack/webpack/releases/tag/v5.76.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.75.0...v5.76.0)
##### Bugfixes
- Avoid cross-realm object access by [@Jack-Works](https://togithub.com/Jack-Works) in [https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500)
- Improve hash performance via conditional initialization by [@lvivski](https://togithub.com/lvivski) in [https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491)
- Serialize `generatedCode` info to fix bug in asset module cache restoration by [@ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703)
- Improve performance of `hashRegExp` lookup by [@ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [https://github.com/webpack/webpack/pull/16759](https://togithub.com/webpack/webpack/pull/16759)
##### Features
- add `target` to `LoaderContext` type by [@askoufis](https://togithub.com/askoufis) in [https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781)
##### Security
- [CVE-2022-37603](https://togithub.com/advisories/GHSA-3rfm-jhwj-7488) fixed by [@akhilgkrishnan](https://togithub.com/akhilgkrishnan) in [https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446)
##### Repo Changes
- Fix HTML5 logo in README by [@jakebailey](https://togithub.com/jakebailey) in [https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614)
- Replace TypeScript logo in README by [@jakebailey](https://togithub.com/jakebailey) in [https://github.com/webpack/webpack/pull/16613](https://togithub.com/webpack/webpack/pull/16613)
- Update actions/cache dependencies by [@piwysocki](https://togithub.com/piwysocki) in [https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493)
##### New Contributors
- [@Jack-Works](https://togithub.com/Jack-Works) made their first contribution in [https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500)
- [@lvivski](https://togithub.com/lvivski) made their first contribution in [https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491)
- [@jakebailey](https://togithub.com/jakebailey) made their first contribution in [https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614)
- [@akhilgkrishnan](https://togithub.com/akhilgkrishnan) made their first contribution in [https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446)
- [@ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) made their first contribution in [https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703)
- [@piwysocki](https://togithub.com/piwysocki) made their first contribution in [https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493)
- [@askoufis](https://togithub.com/askoufis) made their first contribution in [https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781)
**Full Changelog**: https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0
### [`v5.75.0`](https://togithub.com/webpack/webpack/releases/tag/v5.75.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.74.0...v5.75.0)
### Bugfixes
- `experiments.*` normalize to `false` when opt-out
- avoid `NaN%`
- show the correct error when using a conflicting chunk name in code
- HMR code tests existance of `window` before trying to access it
- fix `eval-nosources-*` actually exclude sources
- fix race condition where no module is returned from processing module
- fix position of standalong semicolon in runtime code
### Features
- add support for `@import` to extenal CSS when using experimental CSS in node
- add `i64` support to the deprecated WASM implementation
### Developer Experience
- expose `EnableWasmLoadingPlugin`
- add more typings
- generate getters instead of readonly properties in typings to allow overriding them
### [`v5.74.0`](https://togithub.com/webpack/webpack/releases/tag/v5.74.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.73.0...v5.74.0)
### Features
- add `resolve.extensionAlias` option which allows to alias extensions
- This is useful when you are forced to add the `.js` extension to imports when the file really has a `.ts` extension (typescript + `"type": "module"`)
- add support for ES2022 features like static blocks
- add Tree Shaking support for `ProvidePlugin`
### Bugfixes
- fix persistent cache when some build dependencies are on a different windows drive
- make order of evaluation of side-effect-free modules deterministic between concatenated and non-concatenated modules
- remove left-over from debugging in TLA/async modules runtime code
- remove unneeded extra 1s timestamp offset during watching when files are actually untouched
- This sometimes caused an additional second build which are not really needed
- fix `shareScope` option for `ModuleFederationPlugin`
- set `"use-credentials"` also for same origin scripts
### Performance
- Improve memory usage and performance of aggregating needed files/directories for watching
- This affects rebuild performance
### Extensibility
- export `HarmonyImportDependency` for plugins
### [`v5.73.0`](https://togithub.com/webpack/webpack/releases/tag/v5.73.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.72.1...v5.73.0)
### Features
- add options for default `dynamicImportMode` and prefetch and preload
- add support for `import { createRequire } from "module"` in source code
### Bugfixes
- fix code generation of e. g. `return"field"in Module`
- fix performance of large JSON modules
- fix performance of async modules evaluation
### Developer Experience
- export `PathData` in typings
- improve error messages with more details
### [`v5.72.1`](https://togithub.com/webpack/webpack/releases/tag/v5.72.1)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.72.0...v5.72.1)
### Bugfixes
- fix `__webpack_nonce__` with HMR
- fix `in` operator in some cases
- fix json parsing error messages
- fix module concatenation with using `this.importModule`
- upgrade enhanced-resolve
### [`v5.72.0`](https://togithub.com/webpack/webpack/releases/tag/v5.72.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.71.0...v5.72.0)
### Features
- make cache warnings caused by build errors less verbose
- Allow banner to be placed as a footer with the BannerPlugin
- allow to concatenate asset modules
### Bugfixes
- fix RemoteModules when using HMR (Module Federation + HMR)
- throw error when using module concatenation and cacheUnaffected
- fix `in` operator with nested exports
### [`v5.71.0`](https://togithub.com/webpack/webpack/releases/tag/v5.71.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.70.0...v5.71.0)
### Features
- choose smarter default for `uniqueName` when using a `output.library` which includes placeholders
- add support for expressions with `in` of a imported binding
- generate UMD code with arrow functions when possible
### Bugfixes
- fix source map source names for ContextModule to be relative
- fix `chunkLoading` option in module module
- fix edge case where `evaluateExpression` returns `null`
- retain optional chaining in imported bindings
- include runtime code for the base URI even if not using chunk loading
- don't throw errors in persistent caching when importing node.js builtin modules via ESM
- fix crash when using `lazy-once` Context modules
- improve handling of context modules with multiple contexts
- fix race condition HMR chunk loading when importing chunks during HMR updating
- handle errors in `runAsChild` callback
### [`v5.70.0`](https://togithub.com/webpack/webpack/releases/tag/v5.70.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.69.1...v5.70.0)
##### Features
- update node.js version constraints for ESM support
- add `baseUri` to `entry` options to configure a static base uri (the base of `new URL()`)
- alphabetically sort exports in namespace objects when possible
- add `__webpack_exports_info__.name.canMangle`
- add proxy support to `experiments.buildHttp`
- `import.meta.webpackContext` as ESM alternative to `require.context`
- handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module
##### Bugfixes
- fix problem when assigning `global` to a variable
- fix crash when using `experiments.outputModule` and `loaderContext.importModule` with multiple chunks
- avoid generating progress output before the compilation has started (ProgressPlugin)
- fix handling of non-static-ESM dependencies with using TLA and HMR in the same module
- include the asset module filename in hashing
- `output.clean` will keep HMR assets for at least 10s to allow HMR to access them even when compilation is faster then the browser
##### Performance
- fix asset caching when using the BannerPlugin
##### Developer Experience
- improve typings
##### Contributing
- capture caching errors when running the test suite
### [`v5.69.1`](https://togithub.com/webpack/webpack/releases/tag/v5.69.1)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.69.0...v5.69.1)
### Revert
- revert "handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module"
### [`v5.69.0`](https://togithub.com/webpack/webpack/releases/tag/v5.69.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.68.0...v5.69.0)
### Features
- automatically switch to an ESM compatible environment when enabling ESM output mode
- handle multiple alternative directories (e. g. due to `resolve.alias` or `resolve.modules`) when creating an context module
- add `util/types` to node.js built-in modules
- add `__webpack_exports_info__..canMangle` api
### Bugfixes
- fix bug in chunk graph generation which leads to modules being included in chunk desprite them being already included in parent chunks
- avoid writing more than 2GB at once during cache serialization (as workaround for node.js/libuv bug on MacOS)
- fix handling of whitespaces in semver ranges when using Module Federation
- avoid generating hashes which contain only numbers as they likely conflict with module ids
- fix resource name based placeholders for data uris
- fix cache serialization for context elements
- fix passing of `stage` option when instrumenting plugins for the ProfilingPlugin
- fix tracking of declarations in concatenated modules to avoid conflicts
- fix unstable mangling of exports
- fix handling of `#` in paths of loaders
- avoid unnecessary cache update when using `experiments.buildHttp`
### Contributing
- update typescript and jest
### Developer Experience
- expose some additional typings for usage in webpack-cli
### [`v5.68.0`](https://togithub.com/webpack/webpack/releases/tag/v5.68.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.67.0...v5.68.0)
### Features
- allow to disable compile time evaluation of import.meta.url
- add `__webpack_module__` and `__webpack_module__.id` to the api
### Bugfixes
- fix handling of errors thrown in async modules
### [`v5.67.0`](https://togithub.com/webpack/webpack/releases/tag/v5.67.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.66.0...v5.67.0)
### Features
- add 'outputPath' configuration option for resource asset modules
- support Trusted Types in eval source maps
- `experiments.css`
- allow to generate only exports for css in node
- add `SyncModuleIdsPlugin` to sync module ids between server and client compilation
- add more options to the `DeterministicModuleIdsPlugin` to allow to generate equal ids
### Developer Experience
- limit data url module name in stats printer
- allow specific description for CLI options
- improve space limiting algorithm in stats printing to show partial lists
- add `null` to errors in callbacks
- fix call signature types of addChunkInGroup
### Bugfixes
- avoid reporting non-existant package.jsons as dependencies
- `experiments.css`
- fix missing css runtime when only initial css is used
- fix css hmr support
- bugfixes to css modules
- fix cache serialization for CreateScriptUrlDependency
- fix data url content when processed by a loader
- fix regexp in identifiers that include `|`
- fix ProfilingPlugin for watch scenarios
- add layer to module names and identifiers
- this avoid random module id changes when additional modules are added to another layer
- provide hashFunction parameter to DependencyTemplates to allow customizing it there
- fix HMR when experiments.lazyCompilation is enabled
- store url as Buffer to avoid serialization warnings
- exclude `webpack-hot-middleware/client` from lazy compilation
### Contributing
- remove travis configuration
- improve spell checking
### [`v5.66.0`](https://togithub.com/webpack/webpack/releases/tag/v5.66.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.65.0...v5.66.0)
### Features
- add `output.library.type: "commonjs-static"` to emit a statically analyse-able commonjs module (for node.js esm interop support)
- add `experiments.css` (very experimental)
- see [https://github.com/webpack/webpack/issues/14893](https://togithub.com/webpack/webpack/issues/14893)
### Bugfixes
- fix CORS headers for `experiments.lazyCompilation`
- fix `[absolute-resource-path]` for SourceMap module naming
- avoid stack overflow when accessing many memory cached cache values in series
### Performance
- reduce default `watchOptions.aggregateTimeout` to 20ms
### [`v5.65.0`](https://togithub.com/webpack/webpack/releases/tag/v5.65.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.64.4...v5.65.0)
### Features
- static evaluation understands `undefined` now
- reduce container entry code by a few chars
- use template literals when available and they make sense
### Bugfixes
- handle `singleton` flag without `requiredVersion` in Module Federation
- upgrade `watchpack` for context time info bugfix
### Performance
- improve RegExp in error message formating for non-quadratic performance
### Developer Experience
- automatically insert brackets when `output.globalObject` contains a non-trival expression
- show error when using `script` type external with invalid syntax
- expose types for `Resolver`, `StatsOptions` and `ResolvePluginInstance`
### Preparations for the future
- `hashDigestLength` will default to 16 in webpack 6 (`experiments.futureDefaults`)
### [`v5.64.4`](https://togithub.com/webpack/webpack/releases/tag/v5.64.4)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.64.3...v5.64.4)
### Bugfixes
- fix tagged template literal evaluation
- fix ModuleFederation with ESM
- fix outputModule with intial splitChunks
### Performance
- upgrade watchpack for faster watcher updating
- track file and directory timestamps separately in watchpack and webpack
### Developer Experience
- show origin of singleton shared module in mismatch warning
### [`v5.64.3`](https://togithub.com/webpack/webpack/releases/tag/v5.64.3)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.64.2...v5.64.3)
### Performance
- allow to use pre-compiled schema when `Infinity` is used in configuration
- allow to use pre-compiled schema for configuration arrays
### [`v5.64.2`](https://togithub.com/webpack/webpack/releases/tag/v5.64.2)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.64.1...v5.64.2)
### Bugfixes
- avoid double initial compilation due to invalid dependencies with managedPaths
### [`v5.64.1`](https://togithub.com/webpack/webpack/releases/tag/v5.64.1)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.64.0...v5.64.1)
##### Bugfixes
- fix regexp in managedPaths to exclude additional slash
- make module.accept errorHandler optional in typings
- correctly create an async chunk when using a `require(...).property` in `require.ensure`
- fix cleaning of symlinks in `output.clean: true`
- fix change detection with `unsafeCache` within `managedPaths` (node_modules)
- bump webpack-sources for Stack Overflow bugfix
### [`v5.64.0`](https://togithub.com/webpack/webpack/releases/tag/v5.64.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.63.0...v5.64.0)
### Features
- add `asyncChunks: boolean` option to disable creation of async chunks
### Bugfixes
- fix ProfilingPlugin for `experiments.backCompat: false`
### Performance
- avoid running regexp twice over the file list
### [`v5.63.0`](https://togithub.com/webpack/webpack/releases/tag/v5.63.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.62.2...v5.63.0)
### Features
- allow passing `chunkLoading: false` to disable on-demand loading
### Bugfixes
- fix `import 'single-quote'` in esm build dependencies
### [`v5.62.2`](https://togithub.com/webpack/webpack/releases/tag/v5.62.2)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.62.1...v5.62.2)
### Bugfixes
- fix `__system_context__` injection when using the `library` option on entrypoint
- enable `exportsPresence: "error"` by default in `futureDefaults`
- fix bad performance for a RegExp in Stats printing (with large error messages)
- fix `exportPresence` -> `exportsPresence` typo
- fix a bug with module invalidation when only module id changes with `experiments.cacheUnaffected`
### [`v5.62.1`](https://togithub.com/webpack/webpack/releases/tag/v5.62.1)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.62.0...v5.62.1)
##### Bugfix
- fix invalid generated code when omitting `;`
### [`v5.62.0`](https://togithub.com/webpack/webpack/releases/tag/v5.62.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.61.0...v5.62.0)
### Features
- add options to configure export presence checking
- `parser.javascript.reexportExportsPresence: false` allows to disable warnings for non-existing exports during the migration from `export ... from "..."` to `export type ... from "..."` for type reexports in TypeScript
- add `experiments.backCompat: false` to disable some expensive deprecations for better performance
### Bugfixes
- use `['catch']` instead of `.catch` for better ES3 support
- fix removed parentheses when using `new (require("...")).Something()`
- fix `{ require }` object literals
- `splitChunks.chunks` option is now correctly used for `splitChunks.fallbackCacheGroup.maxSize` too
- fix schema of `listen` option, allow to omit `port`
- add better support for Promises from different isolates
### Developer Experience
- add typings for the webpack API that is available within modules
- use `/// ` to use the typings in typescript modules
- or `"types": [..., "webpack/module"]` in tsconfig
### [`v5.61.0`](https://togithub.com/webpack/webpack/releases/tag/v5.61.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.60.0...v5.61.0)
##### Bugfixes
- use a wasm md4 implementation for node 17 support
- include the `path` submodules in the node.js default externals
##### Performance
- improve string to binary conversion performance for hashing
##### Contribution
- CI runs on node.js 17
### [`v5.60.0`](https://togithub.com/webpack/webpack/releases/tag/v5.60.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.59.1...v5.60.0)
##### Features
- Allow to pass more options to `experiments.lazyCompilation`. e. g. port, https stuff
##### Bugfixes
- fix `output.hashFunction` used to persistent caching too
- Initialize `buildDependencies` Set correctly when loaders are added in `beforeLoaders` hook
### [`v5.59.1`](https://togithub.com/webpack/webpack/releases/tag/v5.59.1)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.59.0...v5.59.1)
##### Bugfixes
- fix regexp in managedPaths
- fix hanging when trying to write lockfile for `experiments.buildHttp`
### [`v5.59.0`](https://togithub.com/webpack/webpack/releases/tag/v5.59.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.58.2...v5.59.0)
### Features
- add `/*#__PURE__*/` for `Object()` in generated code
- add RegExp and function support for `managed/immutablePaths`
- add hooks for multiple phases in module build
- improvements to `experiments.buildHttp`
- allow to share cache
- add allowlist
- add `splitChunks.minSizeReduction` option
### Bugfixes
- fix memory caching for Data URLs
- fix crash in `waitFor` when modules are unsafe cached
- fix bug in build cycle detection
### [`v5.58.2`](https://togithub.com/webpack/webpack/releases/tag/v5.58.2)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.58.1...v5.58.2)
### Bugfixes
- fix serialization context passed
- fix a bug which caused module duplication when using persistent caching, unsafe cache and memory cache with GC
- fix validation of snapshots of non-existing directories
### Performance
- store a hash in first bits of bigint to workaround v8 hashing: https://github.com/v8/v8/blob/b704bc0958e2e26305a68e89d215af1aee011148/src/objects/bigint.h#L192-L195
### [`v5.58.1`](https://togithub.com/webpack/webpack/releases/tag/v5.58.1)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.58.0...v5.58.1)
### Bugfixes
- fix `.webpack[]` suffix to not execute rules
- revert performance optimization that has too large memory usage in large builds
### [`v5.58.0`](https://togithub.com/webpack/webpack/releases/tag/v5.58.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.57.1...v5.58.0)
### Features
- add hook for readResource
- add `diagnostics_channel` to node builtins
### Performance
- improve chunk graph creation performance
- add cacheUnaffected cache support
- remove some caching that makes not difference
- improve splitChunks performance
- improve chunk conditions performance
### [`v5.57.1`](https://togithub.com/webpack/webpack/releases/tag/v5.57.1)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.57.0...v5.57.1)
### Bugfix
- fix experiments.cacheUnaffected which broke by last release
### [`v5.57.0`](https://togithub.com/webpack/webpack/releases/tag/v5.57.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.56.1...v5.57.0)
### Performance
- reduce number of hash.update calls
- allow ExternalModules to be unsafe cached
- improve hashing performance of module lists (StringXor)
### Bugfixes
- experiments.cacheUnaffected
- handle module/chunk id changes correctly
- cache modules with async blocks
- show errors when using incompatible options
### [`v5.56.1`](https://togithub.com/webpack/webpack/releases/tag/v5.56.1)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.56.0...v5.56.1)
### Bugfix
- DefinePlugin: fix conflict with older variants of the plugin
### [`v5.56.0`](https://togithub.com/webpack/webpack/releases/tag/v5.56.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.55.1...v5.56.0)
### Performance
- make DefinePlugin rebuild check more efficient performance and memory wise
### [`v5.55.1`](https://togithub.com/webpack/webpack/releases/tag/v5.55.1)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.55.0...v5.55.1)
### Bugfixes
- fixes for `experiments.cacheUnaffected`
- fix accidentically shared mem caches
- avoid RuntimeSpecMap in favor of directly setting on memCache
- compare references modules when restoring mem cache
### [`v5.55.0`](https://togithub.com/webpack/webpack/releases/tag/v5.55.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.54.0...v5.55.0)
### Performance
- `experiments.cacheUnaffected`
- reduce cache memory usage
- make memCache per module
- cache ESM reexport computation
- `module.unsafeCache`
- make it faster by moving it to Compilation-level instead of in NormalModuleFactory
- omit tracking resolve dependencies since they are not used when unsafe cache is enabled
- module graph
- lazy assign ModuleGraphConnections to Dependencies since that is only accessed when uncached
### [`v5.54.0`](https://togithub.com/webpack/webpack/releases/tag/v5.54.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.53.0...v5.54.0)
### Features
- improve constant folding to allow to skip more branches for `&&` `||` and `??`
- allow all hashing using in webpack to be configured with `output.hashFunction`
- no longer bailout completely from inner graph analysis when `eval` is used in a module
### Bugfixes
- force bump enhanced-resolve for bugfixes
### Performance
- reduce number of allocation when creating snapshots
- add `output.hashFunction: "xxhash64"` for a super fast wasm based hash function
- improve utf-8 conversion when serializing short strings
- improve hashing performance for dependencies
- add `experiments.cacheUnaffected` which caches computations for modules that are unchanged and reference only unchanged modules
### [`v5.53.0`](https://togithub.com/webpack/webpack/releases/tag/v5.53.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.52.1...v5.53.0)
### Features
- add `node.__dirname/__filename: "warn-mock"` which warns on usage (will be enabled in webpack 6 by default)
### Bugfixes
- add `stream/web` to Node.js externals
- fix IgnorePluginSchema
- fix builds with persistent caching taking 1 minute to build at least
### Experiments
- add `experiments.futureDefaults` to enable defaults for webpack 6
### [`v5.52.1`](https://togithub.com/webpack/webpack/releases/tag/v5.52.1)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.52.0...v5.52.1)
### Performance
- split fresh created persistent cache files by time to avoid creating very large files
### [`v5.52.0`](https://togithub.com/webpack/webpack/releases/tag/v5.52.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.51.2...v5.52.0)
### Feature
- `experiments.executeModule` is enabled by default and the option is removed
- loaders are now free to use `this.importModule`
### Bugfixes
- fix generated `__WEBPACK_EXTERNAL_MODULE_null__`, which leads to merged externals
- `.webpack[...]` extension is not part of matching and module name
### [`v5.51.2`](https://togithub.com/webpack/webpack/releases/tag/v5.51.2)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.51.1...v5.51.2)
### Bugfixes
- fix crash in FileSystemInfo when errors occur
- avoid property access of reserved properties
- fix reexports from async modules
- automatically close an active watching when closing the compiler
- when filenames of other runtimes are referenced that need a full hash, upgrade referencing runtime moduel to full hash mode too
- fixes a bug where `[contenthash]` is undefined when using `new Worker`
### [`v5.51.1`](https://togithub.com/webpack/webpack/releases/tag/v5.51.1)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.51.0...v5.51.1)
### Bugfixes
- `library: "module"` propages top-level-await correctly
- fix crash in filesystem snapshotting when trying to snapshot a non-existing directory
- fix some context-dependent logic in concatenated modules and source url handling
### [`v5.51.0`](https://togithub.com/webpack/webpack/releases/tag/v5.51.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.50.0...v5.51.0)
### Bugfixes
- correctly keep chunk loading state when the chunk loading logic is HMR updated
- This fixes some edge cases that e. g. occur when using lazy compilation for entrypoints. It is now able to HMR update that instead of needing a manual reload. Also see fixes in webpack-dev-server@4.
- track and resolve symlinks for filesystem snapshotting
- This fixes some cases of circular `yarn link`ing of dependencies.
- It also fixes some problems when using package managers that use symlinks to deduplicate (e. g. cnpm or pnpm)
- pass the resulting module in the callbacks of `Compilation.addModuleChain` and `Compilation.addModuleTree`
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
5.50.0
->5.76.0
GitHub Vulnerability Alerts
CVE-2023-28154
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Release Notes
webpack/webpack
### [`v5.76.0`](https://togithub.com/webpack/webpack/releases/tag/v5.76.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.75.0...v5.76.0) ##### Bugfixes - Avoid cross-realm object access by [@Jack-Works](https://togithub.com/Jack-Works) in [https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500) - Improve hash performance via conditional initialization by [@lvivski](https://togithub.com/lvivski) in [https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491) - Serialize `generatedCode` info to fix bug in asset module cache restoration by [@ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703) - Improve performance of `hashRegExp` lookup by [@ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [https://github.com/webpack/webpack/pull/16759](https://togithub.com/webpack/webpack/pull/16759) ##### Features - add `target` to `LoaderContext` type by [@askoufis](https://togithub.com/askoufis) in [https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781) ##### Security - [CVE-2022-37603](https://togithub.com/advisories/GHSA-3rfm-jhwj-7488) fixed by [@akhilgkrishnan](https://togithub.com/akhilgkrishnan) in [https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446) ##### Repo Changes - Fix HTML5 logo in README by [@jakebailey](https://togithub.com/jakebailey) in [https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614) - Replace TypeScript logo in README by [@jakebailey](https://togithub.com/jakebailey) in [https://github.com/webpack/webpack/pull/16613](https://togithub.com/webpack/webpack/pull/16613) - Update actions/cache dependencies by [@piwysocki](https://togithub.com/piwysocki) in [https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493) ##### New Contributors - [@Jack-Works](https://togithub.com/Jack-Works) made their first contribution in [https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500) - [@lvivski](https://togithub.com/lvivski) made their first contribution in [https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491) - [@jakebailey](https://togithub.com/jakebailey) made their first contribution in [https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614) - [@akhilgkrishnan](https://togithub.com/akhilgkrishnan) made their first contribution in [https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446) - [@ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) made their first contribution in [https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703) - [@piwysocki](https://togithub.com/piwysocki) made their first contribution in [https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493) - [@askoufis](https://togithub.com/askoufis) made their first contribution in [https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781) **Full Changelog**: https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0 ### [`v5.75.0`](https://togithub.com/webpack/webpack/releases/tag/v5.75.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.74.0...v5.75.0) ### Bugfixes - `experiments.*` normalize to `false` when opt-out - avoid `NaN%` - show the correct error when using a conflicting chunk name in code - HMR code tests existance of `window` before trying to access it - fix `eval-nosources-*` actually exclude sources - fix race condition where no module is returned from processing module - fix position of standalong semicolon in runtime code ### Features - add support for `@import` to extenal CSS when using experimental CSS in node - add `i64` support to the deprecated WASM implementation ### Developer Experience - expose `EnableWasmLoadingPlugin` - add more typings - generate getters instead of readonly properties in typings to allow overriding them ### [`v5.74.0`](https://togithub.com/webpack/webpack/releases/tag/v5.74.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.73.0...v5.74.0) ### Features - add `resolve.extensionAlias` option which allows to alias extensions - This is useful when you are forced to add the `.js` extension to imports when the file really has a `.ts` extension (typescript + `"type": "module"`) - add support for ES2022 features like static blocks - add Tree Shaking support for `ProvidePlugin` ### Bugfixes - fix persistent cache when some build dependencies are on a different windows drive - make order of evaluation of side-effect-free modules deterministic between concatenated and non-concatenated modules - remove left-over from debugging in TLA/async modules runtime code - remove unneeded extra 1s timestamp offset during watching when files are actually untouched - This sometimes caused an additional second build which are not really needed - fix `shareScope` option for `ModuleFederationPlugin` - set `"use-credentials"` also for same origin scripts ### Performance - Improve memory usage and performance of aggregating needed files/directories for watching - This affects rebuild performance ### Extensibility - export `HarmonyImportDependency` for plugins ### [`v5.73.0`](https://togithub.com/webpack/webpack/releases/tag/v5.73.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.72.1...v5.73.0) ### Features - add options for default `dynamicImportMode` and prefetch and preload - add support for `import { createRequire } from "module"` in source code ### Bugfixes - fix code generation of e. g. `return"field"in Module` - fix performance of large JSON modules - fix performance of async modules evaluation ### Developer Experience - export `PathData` in typings - improve error messages with more details ### [`v5.72.1`](https://togithub.com/webpack/webpack/releases/tag/v5.72.1) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.72.0...v5.72.1) ### Bugfixes - fix `__webpack_nonce__` with HMR - fix `in` operator in some cases - fix json parsing error messages - fix module concatenation with using `this.importModule` - upgrade enhanced-resolve ### [`v5.72.0`](https://togithub.com/webpack/webpack/releases/tag/v5.72.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.71.0...v5.72.0) ### Features - make cache warnings caused by build errors less verbose - Allow banner to be placed as a footer with the BannerPlugin - allow to concatenate asset modules ### Bugfixes - fix RemoteModules when using HMR (Module Federation + HMR) - throw error when using module concatenation and cacheUnaffected - fix `in` operator with nested exports ### [`v5.71.0`](https://togithub.com/webpack/webpack/releases/tag/v5.71.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.70.0...v5.71.0) ### Features - choose smarter default for `uniqueName` when using a `output.library` which includes placeholders - add support for expressions with `in` of a imported binding - generate UMD code with arrow functions when possible ### Bugfixes - fix source map source names for ContextModule to be relative - fix `chunkLoading` option in module module - fix edge case where `evaluateExpression` returns `null` - retain optional chaining in imported bindings - include runtime code for the base URI even if not using chunk loading - don't throw errors in persistent caching when importing node.js builtin modules via ESM - fix crash when using `lazy-once` Context modules - improve handling of context modules with multiple contexts - fix race condition HMR chunk loading when importing chunks during HMR updating - handle errors in `runAsChild` callback ### [`v5.70.0`](https://togithub.com/webpack/webpack/releases/tag/v5.70.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.69.1...v5.70.0) ##### Features - update node.js version constraints for ESM support - add `baseUri` to `entry` options to configure a static base uri (the base of `new URL()`) - alphabetically sort exports in namespace objects when possible - add `__webpack_exports_info__.name.canMangle` - add proxy support to `experiments.buildHttp` - `import.meta.webpackContext` as ESM alternative to `require.context` - handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module ##### Bugfixes - fix problem when assigning `global` to a variable - fix crash when using `experiments.outputModule` and `loaderContext.importModule` with multiple chunks - avoid generating progress output before the compilation has started (ProgressPlugin) - fix handling of non-static-ESM dependencies with using TLA and HMR in the same module - include the asset module filename in hashing - `output.clean` will keep HMR assets for at least 10s to allow HMR to access them even when compilation is faster then the browser ##### Performance - fix asset caching when using the BannerPlugin ##### Developer Experience - improve typings ##### Contributing - capture caching errors when running the test suite ### [`v5.69.1`](https://togithub.com/webpack/webpack/releases/tag/v5.69.1) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.69.0...v5.69.1) ### Revert - revert "handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module" ### [`v5.69.0`](https://togithub.com/webpack/webpack/releases/tag/v5.69.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.68.0...v5.69.0) ### Features - automatically switch to an ESM compatible environment when enabling ESM output mode - handle multiple alternative directories (e. g. due to `resolve.alias` or `resolve.modules`) when creating an context module - add `util/types` to node.js built-in modules - add `__webpack_exports_info__.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.