search

yamaryu0508 / vscode-dev-containers

MIT License
0 stars 0 forks source link

Update dependency webpack to v5.76.0 [SECURITY] #351

Open renovate[bot] opened 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
webpack 5.58.0 -> 5.76.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-28154

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

Release Notes

webpack/webpack (webpack) ### [`v5.76.0`](https://togithub.com/webpack/webpack/releases/tag/v5.76.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.75.0...v5.76.0) #### Bugfixes - Avoid cross-realm object access by [@​Jack-Works](https://togithub.com/Jack-Works) in [https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500) - Improve hash performance via conditional initialization by [@​lvivski](https://togithub.com/lvivski) in [https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491) - Serialize `generatedCode` info to fix bug in asset module cache restoration by [@​ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703) - Improve performance of `hashRegExp` lookup by [@​ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [https://github.com/webpack/webpack/pull/16759](https://togithub.com/webpack/webpack/pull/16759) #### Features - add `target` to `LoaderContext` type by [@​askoufis](https://togithub.com/askoufis) in [https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781) #### Security - [CVE-2022-37603](https://togithub.com/advisories/GHSA-3rfm-jhwj-7488) fixed by [@​akhilgkrishnan](https://togithub.com/akhilgkrishnan) in [https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446) #### Repo Changes - Fix HTML5 logo in README by [@​jakebailey](https://togithub.com/jakebailey) in [https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614) - Replace TypeScript logo in README by [@​jakebailey](https://togithub.com/jakebailey) in [https://github.com/webpack/webpack/pull/16613](https://togithub.com/webpack/webpack/pull/16613) - Update actions/cache dependencies by [@​piwysocki](https://togithub.com/piwysocki) in [https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493) #### New Contributors - [@​Jack-Works](https://togithub.com/Jack-Works) made their first contribution in [https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500) - [@​lvivski](https://togithub.com/lvivski) made their first contribution in [https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491) - [@​jakebailey](https://togithub.com/jakebailey) made their first contribution in [https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614) - [@​akhilgkrishnan](https://togithub.com/akhilgkrishnan) made their first contribution in [https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446) - [@​ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) made their first contribution in [https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703) - [@​piwysocki](https://togithub.com/piwysocki) made their first contribution in [https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493) - [@​askoufis](https://togithub.com/askoufis) made their first contribution in [https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781) **Full Changelog**: https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0 ### [`v5.75.0`](https://togithub.com/webpack/webpack/releases/tag/v5.75.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.74.0...v5.75.0) ### Bugfixes - `experiments.*` normalize to `false` when opt-out - avoid `NaN%` - show the correct error when using a conflicting chunk name in code - HMR code tests existance of `window` before trying to access it - fix `eval-nosources-*` actually exclude sources - fix race condition where no module is returned from processing module - fix position of standalong semicolon in runtime code ### Features - add support for `@import` to extenal CSS when using experimental CSS in node - add `i64` support to the deprecated WASM implementation ### Developer Experience - expose `EnableWasmLoadingPlugin` - add more typings - generate getters instead of readonly properties in typings to allow overriding them ### [`v5.74.0`](https://togithub.com/webpack/webpack/releases/tag/v5.74.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.73.0...v5.74.0) ### Features - add `resolve.extensionAlias` option which allows to alias extensions - This is useful when you are forced to add the `.js` extension to imports when the file really has a `.ts` extension (typescript + `"type": "module"`) - add support for ES2022 features like static blocks - add Tree Shaking support for `ProvidePlugin` ### Bugfixes - fix persistent cache when some build dependencies are on a different windows drive - make order of evaluation of side-effect-free modules deterministic between concatenated and non-concatenated modules - remove left-over from debugging in TLA/async modules runtime code - remove unneeded extra 1s timestamp offset during watching when files are actually untouched - This sometimes caused an additional second build which are not really needed - fix `shareScope` option for `ModuleFederationPlugin` - set `"use-credentials"` also for same origin scripts ### Performance - Improve memory usage and performance of aggregating needed files/directories for watching - This affects rebuild performance ### Extensibility - export `HarmonyImportDependency` for plugins ### [`v5.73.0`](https://togithub.com/webpack/webpack/releases/tag/v5.73.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.72.1...v5.73.0) ### Features - add options for default `dynamicImportMode` and prefetch and preload - add support for `import { createRequire } from "module"` in source code ### Bugfixes - fix code generation of e. g. `return"field"in Module` - fix performance of large JSON modules - fix performance of async modules evaluation ### Developer Experience - export `PathData` in typings - improve error messages with more details ### [`v5.72.1`](https://togithub.com/webpack/webpack/releases/tag/v5.72.1) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.72.0...v5.72.1) ### Bugfixes - fix `__webpack_nonce__` with HMR - fix `in` operator in some cases - fix json parsing error messages - fix module concatenation with using `this.importModule` - upgrade enhanced-resolve ### [`v5.72.0`](https://togithub.com/webpack/webpack/releases/tag/v5.72.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.71.0...v5.72.0) ### Features - make cache warnings caused by build errors less verbose - Allow banner to be placed as a footer with the BannerPlugin - allow to concatenate asset modules ### Bugfixes - fix RemoteModules when using HMR (Module Federation + HMR) - throw error when using module concatenation and cacheUnaffected - fix `in` operator with nested exports ### [`v5.71.0`](https://togithub.com/webpack/webpack/releases/tag/v5.71.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.70.0...v5.71.0) ### Features - choose smarter default for `uniqueName` when using a `output.library` which includes placeholders - add support for expressions with `in` of a imported binding - generate UMD code with arrow functions when possible ### Bugfixes - fix source map source names for ContextModule to be relative - fix `chunkLoading` option in module module - fix edge case where `evaluateExpression` returns `null` - retain optional chaining in imported bindings - include runtime code for the base URI even if not using chunk loading - don't throw errors in persistent caching when importing node.js builtin modules via ESM - fix crash when using `lazy-once` Context modules - improve handling of context modules with multiple contexts - fix race condition HMR chunk loading when importing chunks during HMR updating - handle errors in `runAsChild` callback ### [`v5.70.0`](https://togithub.com/webpack/webpack/releases/tag/v5.70.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.69.1...v5.70.0) ### Features - update node.js version constraints for ESM support - add `baseUri` to `entry` options to configure a static base uri (the base of `new URL()`) - alphabetically sort exports in namespace objects when possible - add `__webpack_exports_info__.name.canMangle` - add proxy support to `experiments.buildHttp` - `import.meta.webpackContext` as ESM alternative to `require.context` - handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module ### Bugfixes - fix problem when assigning `global` to a variable - fix crash when using `experiments.outputModule` and `loaderContext.importModule` with multiple chunks - avoid generating progress output before the compilation has started (ProgressPlugin) - fix handling of non-static-ESM dependencies with using TLA and HMR in the same module - include the asset module filename in hashing - `output.clean` will keep HMR assets for at least 10s to allow HMR to access them even when compilation is faster then the browser ### Performance - fix asset caching when using the BannerPlugin ### Developer Experience - improve typings ### Contributing - capture caching errors when running the test suite ### [`v5.69.1`](https://togithub.com/webpack/webpack/releases/tag/v5.69.1) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.69.0...v5.69.1) ### Revert - revert "handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module" ### [`v5.69.0`](https://togithub.com/webpack/webpack/releases/tag/v5.69.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.68.0...v5.69.0) ### Features - automatically switch to an ESM compatible environment when enabling ESM output mode - handle multiple alternative directories (e. g. due to `resolve.alias` or `resolve.modules`) when creating an context module - add `util/types` to node.js built-in modules - add `__webpack_exports_info__..canMangle` api ### Bugfixes - fix bug in chunk graph generation which leads to modules being included in chunk desprite them being already included in parent chunks - avoid writing more than 2GB at once during cache serialization (as workaround for node.js/libuv bug on MacOS) - fix handling of whitespaces in semver ranges when using Module Federation - avoid generating hashes which contain only numbers as they likely conflict with module ids - fix resource name based placeholders for data uris - fix cache serialization for context elements - fix passing of `stage` option when instrumenting plugins for the ProfilingPlugin - fix tracking of declarations in concatenated modules to avoid conflicts - fix unstable mangling of exports - fix handling of `#` in paths of loaders - avoid unnecessary cache update when using `experiments.buildHttp` ### Contributing - update typescript and jest ### Developer Experience - expose some additional typings for usage in webpack-cli ### [`v5.68.0`](https://togithub.com/webpack/webpack/releases/tag/v5.68.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.67.0...v5.68.0) ### Features - allow to disable compile time evaluation of import.meta.url - add `__webpack_module__` and `__webpack_module__.id` to the api ### Bugfixes - fix handling of errors thrown in async modules ### [`v5.67.0`](https://togithub.com/webpack/webpack/releases/tag/v5.67.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.66.0...v5.67.0) ### Features - add 'outputPath' configuration option for resource asset modules - support Trusted Types in eval source maps - `experiments.css` - allow to generate only exports for css in node - add `SyncModuleIdsPlugin` to sync module ids between server and client compilation - add more options to the `DeterministicModuleIdsPlugin` to allow to generate equal ids ### Developer Experience - limit data url module name in stats printer - allow specific description for CLI options - improve space limiting algorithm in stats printing to show partial lists - add `null` to errors in callbacks - fix call signature types of addChunkInGroup ### Bugfixes - avoid reporting non-existant package.jsons as dependencies - `experiments.css` - fix missing css runtime when only initial css is used - fix css hmr support - bugfixes to css modules - fix cache serialization for CreateScriptUrlDependency - fix data url content when processed by a loader - fix regexp in identifiers that include `|` - fix ProfilingPlugin for watch scenarios - add layer to module names and identifiers - this avoid random module id changes when additional modules are added to another layer - provide hashFunction parameter to DependencyTemplates to allow customizing it there - fix HMR when experiments.lazyCompilation is enabled - store url as Buffer to avoid serialization warnings - exclude `webpack-hot-middleware/client` from lazy compilation ### Contributing - remove travis configuration - improve spell checking ### [`v5.66.0`](https://togithub.com/webpack/webpack/releases/tag/v5.66.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.65.0...v5.66.0) ### Features - add `output.library.type: "commonjs-static"` to emit a statically analyse-able commonjs module (for node.js esm interop support) - add `experiments.css` (very experimental) - see [https://github.com/webpack/webpack/issues/14893](https://togithub.com/webpack/webpack/issues/14893) ### Bugfixes - fix CORS headers for `experiments.lazyCompilation` - fix `[absolute-resource-path]` for SourceMap module naming - avoid stack overflow when accessing many memory cached cache values in series ### Performance - reduce default `watchOptions.aggregateTimeout` to 20ms ### [`v5.65.0`](https://togithub.com/webpack/webpack/releases/tag/v5.65.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.64.4...v5.65.0) ### Features - static evaluation understands `undefined` now - reduce container entry code by a few chars - use template literals when available and they make sense ### Bugfixes - handle `singleton` flag without `requiredVersion` in Module Federation - upgrade `watchpack` for context time info bugfix ### Performance - improve RegExp in error message formating for non-quadratic performance ### Developer Experience - automatically insert brackets when `output.globalObject` contains a non-trival expression - show error when using `script` type external with invalid syntax - expose types for `Resolver`, `StatsOptions` and `ResolvePluginInstance` ### Preparations for the future - `hashDigestLength` will default to 16 in webpack 6 (`experiments.futureDefaults`) ### [`v5.64.4`](https://togithub.com/webpack/webpack/releases/tag/v5.64.4) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.64.3...v5.64.4) ### Bugfixes - fix tagged template literal evaluation - fix ModuleFederation with ESM - fix outputModule with intial splitChunks ### Performance - upgrade watchpack for faster watcher updating - track file and directory timestamps separately in watchpack and webpack ### Developer Experience - show origin of singleton shared module in mismatch warning ### [`v5.64.3`](https://togithub.com/webpack/webpack/releases/tag/v5.64.3) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.64.2...v5.64.3) ### Performance - allow to use pre-compiled schema when `Infinity` is used in configuration - allow to use pre-compiled schema for configuration arrays ### [`v5.64.2`](https://togithub.com/webpack/webpack/releases/tag/v5.64.2) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.64.1...v5.64.2) ### Bugfixes - avoid double initial compilation due to invalid dependencies with managedPaths ### [`v5.64.1`](https://togithub.com/webpack/webpack/releases/tag/v5.64.1) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.64.0...v5.64.1) ### Bugfixes - fix regexp in managedPaths to exclude additional slash - make module.accept errorHandler optional in typings - correctly create an async chunk when using a `require(...).property` in `require.ensure` - fix cleaning of symlinks in `output.clean: true` - fix change detection with `unsafeCache` within `managedPaths` (node_modules) - bump webpack-sources for Stack Overflow bugfix ### [`v5.64.0`](https://togithub.com/webpack/webpack/releases/tag/v5.64.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.63.0...v5.64.0) ### Features - add `asyncChunks: boolean` option to disable creation of async chunks ### Bugfixes - fix ProfilingPlugin for `experiments.backCompat: false` ### Performance - avoid running regexp twice over the file list ### [`v5.63.0`](https://togithub.com/webpack/webpack/releases/tag/v5.63.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.62.2...v5.63.0) ### Features - allow passing `chunkLoading: false` to disable on-demand loading ### Bugfixes - fix `import 'single-quote'` in esm build dependencies ### [`v5.62.2`](https://togithub.com/webpack/webpack/releases/tag/v5.62.2) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.62.1...v5.62.2) ### Bugfixes - fix `__system_context__` injection when using the `library` option on entrypoint - enable `exportsPresence: "error"` by default in `futureDefaults` - fix bad performance for a RegExp in Stats printing (with large error messages) - fix `exportPresence` -> `exportsPresence` typo - fix a bug with module invalidation when only module id changes with `experiments.cacheUnaffected` ### [`v5.62.1`](https://togithub.com/webpack/webpack/releases/tag/v5.62.1) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.62.0...v5.62.1) ### Bugfix - fix invalid generated code when omitting `;` ### [`v5.62.0`](https://togithub.com/webpack/webpack/releases/tag/v5.62.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.61.0...v5.62.0) ### Features - add options to configure export presence checking - `parser.javascript.reexportExportsPresence: false` allows to disable warnings for non-existing exports during the migration from `export ... from "..."` to `export type ... from "..."` for type reexports in TypeScript - add `experiments.backCompat: false` to disable some expensive deprecations for better performance ### Bugfixes - use `['catch']` instead of `.catch` for better ES3 support - fix removed parentheses when using `new (require("...")).Something()` - fix `{ require }` object literals - `splitChunks.chunks` option is now correctly used for `splitChunks.fallbackCacheGroup.maxSize` too - fix schema of `listen` option, allow to omit `port` - add better support for Promises from different isolates ### Developer Experience - add typings for the webpack API that is available within modules - use `/// ` to use the typings in typescript modules - or `"types": [..., "webpack/module"]` in tsconfig ### [`v5.61.0`](https://togithub.com/webpack/webpack/releases/tag/v5.61.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.60.0...v5.61.0) ### Bugfixes - use a wasm md4 implementation for node 17 support - include the `path` submodules in the node.js default externals ### Performance - improve string to binary conversion performance for hashing ### Contribution - CI runs on node.js 17 ### [`v5.60.0`](https://togithub.com/webpack/webpack/releases/tag/v5.60.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.59.1...v5.60.0) ### Features - Allow to pass more options to `experiments.lazyCompilation`. e. g. port, https stuff ### Bugfixes - fix `output.hashFunction` used to persistent caching too - Initialize `buildDependencies` Set correctly when loaders are added in `beforeLoaders` hook ### [`v5.59.1`](https://togithub.com/webpack/webpack/releases/tag/v5.59.1) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.59.0...v5.59.1) ### Bugfixes - fix regexp in managedPaths - fix hanging when trying to write lockfile for `experiments.buildHttp` ### [`v5.59.0`](https://togithub.com/webpack/webpack/releases/tag/v5.59.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.58.2...v5.59.0) ### Features - add `/*#__PURE__*/` for `Object()` in generated code - add RegExp and function support for `managed/immutablePaths` - add hooks for multiple phases in module build - improvements to `experiments.buildHttp` - allow to share cache - add allowlist - add `splitChunks.minSizeReduction` option ### Bugfixes - fix memory caching for Data URLs - fix crash in `waitFor` when modules are unsafe cached - fix bug in build cycle detection ### [`v5.58.2`](https://togithub.com/webpack/webpack/releases/tag/v5.58.2) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.58.1...v5.58.2) ### Bugfixes - fix serialization context passed - fix a bug which caused module duplication when using persistent caching, unsafe cache and memory cache with GC - fix validation of snapshots of non-existing directories ### Performance - store a hash in first bits of bigint to workaround v8 hashing: https://github.com/v8/v8/blob/b704bc0958e2e26305a68e89d215af1aee011148/src/objects/bigint.h#L192-L195 ### [`v5.58.1`](https://togithub.com/webpack/webpack/releases/tag/v5.58.1) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.58.0...v5.58.1) ### Bugfixes - fix `.webpack[]` suffix to not execute rules - revert performance optimization that has too large memory usage in large builds

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.