Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Release Notes
webpack/webpack (webpack)
### [`v5.76.0`](https://togithub.com/webpack/webpack/releases/tag/v5.76.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.75.0...v5.76.0)
#### Bugfixes
- Avoid cross-realm object access by [@Jack-Works](https://togithub.com/Jack-Works) in [https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500)
- Improve hash performance via conditional initialization by [@lvivski](https://togithub.com/lvivski) in [https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491)
- Serialize `generatedCode` info to fix bug in asset module cache restoration by [@ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703)
- Improve performance of `hashRegExp` lookup by [@ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [https://github.com/webpack/webpack/pull/16759](https://togithub.com/webpack/webpack/pull/16759)
#### Features
- add `target` to `LoaderContext` type by [@askoufis](https://togithub.com/askoufis) in [https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781)
#### Security
- [CVE-2022-37603](https://togithub.com/advisories/GHSA-3rfm-jhwj-7488) fixed by [@akhilgkrishnan](https://togithub.com/akhilgkrishnan) in [https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446)
#### Repo Changes
- Fix HTML5 logo in README by [@jakebailey](https://togithub.com/jakebailey) in [https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614)
- Replace TypeScript logo in README by [@jakebailey](https://togithub.com/jakebailey) in [https://github.com/webpack/webpack/pull/16613](https://togithub.com/webpack/webpack/pull/16613)
- Update actions/cache dependencies by [@piwysocki](https://togithub.com/piwysocki) in [https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493)
#### New Contributors
- [@Jack-Works](https://togithub.com/Jack-Works) made their first contribution in [https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500)
- [@lvivski](https://togithub.com/lvivski) made their first contribution in [https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491)
- [@jakebailey](https://togithub.com/jakebailey) made their first contribution in [https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614)
- [@akhilgkrishnan](https://togithub.com/akhilgkrishnan) made their first contribution in [https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446)
- [@ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) made their first contribution in [https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703)
- [@piwysocki](https://togithub.com/piwysocki) made their first contribution in [https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493)
- [@askoufis](https://togithub.com/askoufis) made their first contribution in [https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781)
**Full Changelog**: https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0
### [`v5.75.0`](https://togithub.com/webpack/webpack/releases/tag/v5.75.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.74.0...v5.75.0)
### Bugfixes
- `experiments.*` normalize to `false` when opt-out
- avoid `NaN%`
- show the correct error when using a conflicting chunk name in code
- HMR code tests existance of `window` before trying to access it
- fix `eval-nosources-*` actually exclude sources
- fix race condition where no module is returned from processing module
- fix position of standalong semicolon in runtime code
### Features
- add support for `@import` to extenal CSS when using experimental CSS in node
- add `i64` support to the deprecated WASM implementation
### Developer Experience
- expose `EnableWasmLoadingPlugin`
- add more typings
- generate getters instead of readonly properties in typings to allow overriding them
### [`v5.74.0`](https://togithub.com/webpack/webpack/releases/tag/v5.74.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.73.0...v5.74.0)
### Features
- add `resolve.extensionAlias` option which allows to alias extensions
- This is useful when you are forced to add the `.js` extension to imports when the file really has a `.ts` extension (typescript + `"type": "module"`)
- add support for ES2022 features like static blocks
- add Tree Shaking support for `ProvidePlugin`
### Bugfixes
- fix persistent cache when some build dependencies are on a different windows drive
- make order of evaluation of side-effect-free modules deterministic between concatenated and non-concatenated modules
- remove left-over from debugging in TLA/async modules runtime code
- remove unneeded extra 1s timestamp offset during watching when files are actually untouched
- This sometimes caused an additional second build which are not really needed
- fix `shareScope` option for `ModuleFederationPlugin`
- set `"use-credentials"` also for same origin scripts
### Performance
- Improve memory usage and performance of aggregating needed files/directories for watching
- This affects rebuild performance
### Extensibility
- export `HarmonyImportDependency` for plugins
### [`v5.73.0`](https://togithub.com/webpack/webpack/releases/tag/v5.73.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.72.1...v5.73.0)
### Features
- add options for default `dynamicImportMode` and prefetch and preload
- add support for `import { createRequire } from "module"` in source code
### Bugfixes
- fix code generation of e. g. `return"field"in Module`
- fix performance of large JSON modules
- fix performance of async modules evaluation
### Developer Experience
- export `PathData` in typings
- improve error messages with more details
### [`v5.72.1`](https://togithub.com/webpack/webpack/releases/tag/v5.72.1)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.72.0...v5.72.1)
### Bugfixes
- fix `__webpack_nonce__` with HMR
- fix `in` operator in some cases
- fix json parsing error messages
- fix module concatenation with using `this.importModule`
- upgrade enhanced-resolve
### [`v5.72.0`](https://togithub.com/webpack/webpack/releases/tag/v5.72.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.71.0...v5.72.0)
### Features
- make cache warnings caused by build errors less verbose
- Allow banner to be placed as a footer with the BannerPlugin
- allow to concatenate asset modules
### Bugfixes
- fix RemoteModules when using HMR (Module Federation + HMR)
- throw error when using module concatenation and cacheUnaffected
- fix `in` operator with nested exports
### [`v5.71.0`](https://togithub.com/webpack/webpack/releases/tag/v5.71.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.70.0...v5.71.0)
### Features
- choose smarter default for `uniqueName` when using a `output.library` which includes placeholders
- add support for expressions with `in` of a imported binding
- generate UMD code with arrow functions when possible
### Bugfixes
- fix source map source names for ContextModule to be relative
- fix `chunkLoading` option in module module
- fix edge case where `evaluateExpression` returns `null`
- retain optional chaining in imported bindings
- include runtime code for the base URI even if not using chunk loading
- don't throw errors in persistent caching when importing node.js builtin modules via ESM
- fix crash when using `lazy-once` Context modules
- improve handling of context modules with multiple contexts
- fix race condition HMR chunk loading when importing chunks during HMR updating
- handle errors in `runAsChild` callback
### [`v5.70.0`](https://togithub.com/webpack/webpack/releases/tag/v5.70.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.69.1...v5.70.0)
### Features
- update node.js version constraints for ESM support
- add `baseUri` to `entry` options to configure a static base uri (the base of `new URL()`)
- alphabetically sort exports in namespace objects when possible
- add `__webpack_exports_info__.name.canMangle`
- add proxy support to `experiments.buildHttp`
- `import.meta.webpackContext` as ESM alternative to `require.context`
- handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module
### Bugfixes
- fix problem when assigning `global` to a variable
- fix crash when using `experiments.outputModule` and `loaderContext.importModule` with multiple chunks
- avoid generating progress output before the compilation has started (ProgressPlugin)
- fix handling of non-static-ESM dependencies with using TLA and HMR in the same module
- include the asset module filename in hashing
- `output.clean` will keep HMR assets for at least 10s to allow HMR to access them even when compilation is faster then the browser
### Performance
- fix asset caching when using the BannerPlugin
### Developer Experience
- improve typings
### Contributing
- capture caching errors when running the test suite
### [`v5.69.1`](https://togithub.com/webpack/webpack/releases/tag/v5.69.1)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.69.0...v5.69.1)
### Revert
- revert "handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module"
### [`v5.69.0`](https://togithub.com/webpack/webpack/releases/tag/v5.69.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.68.0...v5.69.0)
### Features
- automatically switch to an ESM compatible environment when enabling ESM output mode
- handle multiple alternative directories (e. g. due to `resolve.alias` or `resolve.modules`) when creating an context module
- add `util/types` to node.js built-in modules
- add `__webpack_exports_info__..canMangle` api
### Bugfixes
- fix bug in chunk graph generation which leads to modules being included in chunk desprite them being already included in parent chunks
- avoid writing more than 2GB at once during cache serialization (as workaround for node.js/libuv bug on MacOS)
- fix handling of whitespaces in semver ranges when using Module Federation
- avoid generating hashes which contain only numbers as they likely conflict with module ids
- fix resource name based placeholders for data uris
- fix cache serialization for context elements
- fix passing of `stage` option when instrumenting plugins for the ProfilingPlugin
- fix tracking of declarations in concatenated modules to avoid conflicts
- fix unstable mangling of exports
- fix handling of `#` in paths of loaders
- avoid unnecessary cache update when using `experiments.buildHttp`
### Contributing
- update typescript and jest
### Developer Experience
- expose some additional typings for usage in webpack-cli
### [`v5.68.0`](https://togithub.com/webpack/webpack/releases/tag/v5.68.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.67.0...v5.68.0)
### Features
- allow to disable compile time evaluation of import.meta.url
- add `__webpack_module__` and `__webpack_module__.id` to the api
### Bugfixes
- fix handling of errors thrown in async modules
### [`v5.67.0`](https://togithub.com/webpack/webpack/releases/tag/v5.67.0)
[Compare Source](https://togithub.com/webpack/webpack/compare/v5.66.0...v5.67.0)
### Features
- add 'outputPath' configuration option for resource asset modules
- support Trusted Types in eval source maps
- `experiments.css`
- allow to generate only exports for css in node
- add `SyncModuleIdsPlugin` to sync module ids between server and client compilation
- add more options to the `DeterministicModuleIdsPlugin` to allow to generate equal ids
### Developer Experience
- limit data url module name in stats printer
- allow specific description for CLI options
- improve space limiting algorithm in stats printing to show partial lists
- add `null` to errors in callbacks
- fix call signature types of addChunkInGroup
### Bugfixes
- avoid reporting non-existant package.jsons as dependencies
- `experiments.css`
- fix missing css runtime when only initial css is used
- fix css hmr support
- bugfixes to css modules
- fix cache serialization for CreateScriptUrlDependency
- fix data url content when processed by a loader
- fix regexp in identifiers that include `|`
- fix ProfilingPlugin for watch scenarios
- add layer to module names and identifiers
- this avoid random module id changes when additional modules are added to another layer
- provide hashFunction parameter to DependencyTemplates to allow customizing it there
- fix HMR when experiments.lazyCompilation is enabled
- store url as Buffer to avoid serialization warnings
- exclude `webpack-hot-middleware/client` from lazy compilation
### Contributing
- remove travis configuration
- improve spell checking
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
5.66.0
->5.76.0
GitHub Vulnerability Alerts
CVE-2023-28154
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Release Notes
webpack/webpack (webpack)
### [`v5.76.0`](https://togithub.com/webpack/webpack/releases/tag/v5.76.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.75.0...v5.76.0) #### Bugfixes - Avoid cross-realm object access by [@Jack-Works](https://togithub.com/Jack-Works) in [https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500) - Improve hash performance via conditional initialization by [@lvivski](https://togithub.com/lvivski) in [https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491) - Serialize `generatedCode` info to fix bug in asset module cache restoration by [@ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703) - Improve performance of `hashRegExp` lookup by [@ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [https://github.com/webpack/webpack/pull/16759](https://togithub.com/webpack/webpack/pull/16759) #### Features - add `target` to `LoaderContext` type by [@askoufis](https://togithub.com/askoufis) in [https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781) #### Security - [CVE-2022-37603](https://togithub.com/advisories/GHSA-3rfm-jhwj-7488) fixed by [@akhilgkrishnan](https://togithub.com/akhilgkrishnan) in [https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446) #### Repo Changes - Fix HTML5 logo in README by [@jakebailey](https://togithub.com/jakebailey) in [https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614) - Replace TypeScript logo in README by [@jakebailey](https://togithub.com/jakebailey) in [https://github.com/webpack/webpack/pull/16613](https://togithub.com/webpack/webpack/pull/16613) - Update actions/cache dependencies by [@piwysocki](https://togithub.com/piwysocki) in [https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493) #### New Contributors - [@Jack-Works](https://togithub.com/Jack-Works) made their first contribution in [https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500) - [@lvivski](https://togithub.com/lvivski) made their first contribution in [https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491) - [@jakebailey](https://togithub.com/jakebailey) made their first contribution in [https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614) - [@akhilgkrishnan](https://togithub.com/akhilgkrishnan) made their first contribution in [https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446) - [@ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) made their first contribution in [https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703) - [@piwysocki](https://togithub.com/piwysocki) made their first contribution in [https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493) - [@askoufis](https://togithub.com/askoufis) made their first contribution in [https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781) **Full Changelog**: https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0 ### [`v5.75.0`](https://togithub.com/webpack/webpack/releases/tag/v5.75.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.74.0...v5.75.0) ### Bugfixes - `experiments.*` normalize to `false` when opt-out - avoid `NaN%` - show the correct error when using a conflicting chunk name in code - HMR code tests existance of `window` before trying to access it - fix `eval-nosources-*` actually exclude sources - fix race condition where no module is returned from processing module - fix position of standalong semicolon in runtime code ### Features - add support for `@import` to extenal CSS when using experimental CSS in node - add `i64` support to the deprecated WASM implementation ### Developer Experience - expose `EnableWasmLoadingPlugin` - add more typings - generate getters instead of readonly properties in typings to allow overriding them ### [`v5.74.0`](https://togithub.com/webpack/webpack/releases/tag/v5.74.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.73.0...v5.74.0) ### Features - add `resolve.extensionAlias` option which allows to alias extensions - This is useful when you are forced to add the `.js` extension to imports when the file really has a `.ts` extension (typescript + `"type": "module"`) - add support for ES2022 features like static blocks - add Tree Shaking support for `ProvidePlugin` ### Bugfixes - fix persistent cache when some build dependencies are on a different windows drive - make order of evaluation of side-effect-free modules deterministic between concatenated and non-concatenated modules - remove left-over from debugging in TLA/async modules runtime code - remove unneeded extra 1s timestamp offset during watching when files are actually untouched - This sometimes caused an additional second build which are not really needed - fix `shareScope` option for `ModuleFederationPlugin` - set `"use-credentials"` also for same origin scripts ### Performance - Improve memory usage and performance of aggregating needed files/directories for watching - This affects rebuild performance ### Extensibility - export `HarmonyImportDependency` for plugins ### [`v5.73.0`](https://togithub.com/webpack/webpack/releases/tag/v5.73.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.72.1...v5.73.0) ### Features - add options for default `dynamicImportMode` and prefetch and preload - add support for `import { createRequire } from "module"` in source code ### Bugfixes - fix code generation of e. g. `return"field"in Module` - fix performance of large JSON modules - fix performance of async modules evaluation ### Developer Experience - export `PathData` in typings - improve error messages with more details ### [`v5.72.1`](https://togithub.com/webpack/webpack/releases/tag/v5.72.1) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.72.0...v5.72.1) ### Bugfixes - fix `__webpack_nonce__` with HMR - fix `in` operator in some cases - fix json parsing error messages - fix module concatenation with using `this.importModule` - upgrade enhanced-resolve ### [`v5.72.0`](https://togithub.com/webpack/webpack/releases/tag/v5.72.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.71.0...v5.72.0) ### Features - make cache warnings caused by build errors less verbose - Allow banner to be placed as a footer with the BannerPlugin - allow to concatenate asset modules ### Bugfixes - fix RemoteModules when using HMR (Module Federation + HMR) - throw error when using module concatenation and cacheUnaffected - fix `in` operator with nested exports ### [`v5.71.0`](https://togithub.com/webpack/webpack/releases/tag/v5.71.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.70.0...v5.71.0) ### Features - choose smarter default for `uniqueName` when using a `output.library` which includes placeholders - add support for expressions with `in` of a imported binding - generate UMD code with arrow functions when possible ### Bugfixes - fix source map source names for ContextModule to be relative - fix `chunkLoading` option in module module - fix edge case where `evaluateExpression` returns `null` - retain optional chaining in imported bindings - include runtime code for the base URI even if not using chunk loading - don't throw errors in persistent caching when importing node.js builtin modules via ESM - fix crash when using `lazy-once` Context modules - improve handling of context modules with multiple contexts - fix race condition HMR chunk loading when importing chunks during HMR updating - handle errors in `runAsChild` callback ### [`v5.70.0`](https://togithub.com/webpack/webpack/releases/tag/v5.70.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.69.1...v5.70.0) ### Features - update node.js version constraints for ESM support - add `baseUri` to `entry` options to configure a static base uri (the base of `new URL()`) - alphabetically sort exports in namespace objects when possible - add `__webpack_exports_info__.name.canMangle` - add proxy support to `experiments.buildHttp` - `import.meta.webpackContext` as ESM alternative to `require.context` - handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module ### Bugfixes - fix problem when assigning `global` to a variable - fix crash when using `experiments.outputModule` and `loaderContext.importModule` with multiple chunks - avoid generating progress output before the compilation has started (ProgressPlugin) - fix handling of non-static-ESM dependencies with using TLA and HMR in the same module - include the asset module filename in hashing - `output.clean` will keep HMR assets for at least 10s to allow HMR to access them even when compilation is faster then the browser ### Performance - fix asset caching when using the BannerPlugin ### Developer Experience - improve typings ### Contributing - capture caching errors when running the test suite ### [`v5.69.1`](https://togithub.com/webpack/webpack/releases/tag/v5.69.1) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.69.0...v5.69.1) ### Revert - revert "handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module" ### [`v5.69.0`](https://togithub.com/webpack/webpack/releases/tag/v5.69.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.68.0...v5.69.0) ### Features - automatically switch to an ESM compatible environment when enabling ESM output mode - handle multiple alternative directories (e. g. due to `resolve.alias` or `resolve.modules`) when creating an context module - add `util/types` to node.js built-in modules - add `__webpack_exports_info__.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.