Versions of webpack-bundle-analyzer prior to 3.3.2 are vulnerable to Cross-Site Scripting. The package uses JSON.stringify() without properly escaping input which may lead to Cross-Site Scripting.
Release Notes
webpack-contrib/webpack-bundle-analyzer
### [`v3.3.2`](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/blob/master/CHANGELOG.md#332)
[Compare Source](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/compare/v3.3.1...v3.3.2)
- **Bug Fix**
- Fix regression with escaping internal assets ([#264](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/pull/264), fixes [#263](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/issues/263))
### [`v3.3.1`](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/blob/master/CHANGELOG.md#331)
[Compare Source](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/compare/v3.3.0...v3.3.1)
- **Improvements**
- Use relative links for serving internal assets ([#261](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/pull/261), fixes [#254](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/issues/254))
- Properly escape embedded JS/JSON ([#262](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/pull/262))
- **Bug Fix**
- Fix showing help message on `-h` flag ([#260](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/pull/260), fixes [#239](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/issues/239))
### [`v3.3.0`](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/blob/master/CHANGELOG.md#330)
[Compare Source](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/compare/v3.2.0...v3.3.0)
- **New Feature**
- Show/hide chunks using context menu ([#246](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/pull/246), [@bregenspan](https://togithub.com/bregenspan))
- **Internal**
- Updated dev dependencies
### [`v3.2.0`](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/blob/master/CHANGELOG.md#320)
[Compare Source](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/compare/v3.1.0...v3.2.0)
- **Improvements**
- Add support for .mjs output files ([#252](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/pull/252), [@jlopezxs](https://togithub.com/jlopezxs))
Renovate configuration
:date: Schedule: "" (UTC).
:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.
:recycle: Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
3.1.0->3.3.2GitHub Vulnerability Alerts
GHSA-pgr8-jg6h-8gw6 / WS-2019-0058
Versions of webpack-bundle-analyzer prior to 3.3.2 are vulnerable to Cross-Site Scripting. The package uses JSON.stringify() without properly escaping input which may lead to Cross-Site Scripting.
Release Notes
webpack-contrib/webpack-bundle-analyzer
### [`v3.3.2`](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/blob/master/CHANGELOG.md#332) [Compare Source](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/compare/v3.3.1...v3.3.2) - **Bug Fix** - Fix regression with escaping internal assets ([#264](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/pull/264), fixes [#263](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/issues/263)) ### [`v3.3.1`](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/blob/master/CHANGELOG.md#331) [Compare Source](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/compare/v3.3.0...v3.3.1) - **Improvements** - Use relative links for serving internal assets ([#261](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/pull/261), fixes [#254](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/issues/254)) - Properly escape embedded JS/JSON ([#262](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/pull/262)) - **Bug Fix** - Fix showing help message on `-h` flag ([#260](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/pull/260), fixes [#239](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/issues/239)) ### [`v3.3.0`](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/blob/master/CHANGELOG.md#330) [Compare Source](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/compare/v3.2.0...v3.3.0) - **New Feature** - Show/hide chunks using context menu ([#246](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/pull/246), [@bregenspan](https://togithub.com/bregenspan)) - **Internal** - Updated dev dependencies ### [`v3.2.0`](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/blob/master/CHANGELOG.md#320) [Compare Source](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/compare/v3.1.0...v3.2.0) - **Improvements** - Add support for .mjs output files ([#252](https://togithub.com/webpack-contrib/webpack-bundle-analyzer/pull/252), [@jlopezxs](https://togithub.com/jlopezxs))Renovate configuration
:date: Schedule: "" (UTC).
:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.
:recycle: Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.