Open renovate[bot] opened 1 year ago
A race condition is a flaw that produces an unexpected result when the timing of actions impact other actions.
Also referred to as Stack buffer overflows. This vulnerability occurs when data received by a program is written to a memory location on the stack and the allocated space is not large enough to take the whole input. If proper boundary checks are not implemented, or unsafe functions like sprintf, fgets etc. are used which don't require a destination size limit the stack memory after the target buffer may be written to, allowing an attacker to alter the normal behaviour of the program. Most modern compilers now have a secure switch which may reorder stack variables and generate extra code to protect against this type of vulnerability.
This PR contains the following updates:
5.51.1
->5.76.0
GitHub Vulnerability Alerts
CVE-2023-28154
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Release Notes
webpack/webpack (webpack)
### [`v5.76.0`](https://togithub.com/webpack/webpack/releases/tag/v5.76.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.75.0...v5.76.0) #### Bugfixes - Avoid cross-realm object access by [@Jack-Works](https://togithub.com/Jack-Works) in [https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500) - Improve hash performance via conditional initialization by [@lvivski](https://togithub.com/lvivski) in [https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491) - Serialize `generatedCode` info to fix bug in asset module cache restoration by [@ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703) - Improve performance of `hashRegExp` lookup by [@ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [https://github.com/webpack/webpack/pull/16759](https://togithub.com/webpack/webpack/pull/16759) #### Features - add `target` to `LoaderContext` type by [@askoufis](https://togithub.com/askoufis) in [https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781) #### Security - [CVE-2022-37603](https://togithub.com/advisories/GHSA-3rfm-jhwj-7488) fixed by [@akhilgkrishnan](https://togithub.com/akhilgkrishnan) in [https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446) #### Repo Changes - Fix HTML5 logo in README by [@jakebailey](https://togithub.com/jakebailey) in [https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614) - Replace TypeScript logo in README by [@jakebailey](https://togithub.com/jakebailey) in [https://github.com/webpack/webpack/pull/16613](https://togithub.com/webpack/webpack/pull/16613) - Update actions/cache dependencies by [@piwysocki](https://togithub.com/piwysocki) in [https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493) #### New Contributors - [@Jack-Works](https://togithub.com/Jack-Works) made their first contribution in [https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500) - [@lvivski](https://togithub.com/lvivski) made their first contribution in [https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491) - [@jakebailey](https://togithub.com/jakebailey) made their first contribution in [https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614) - [@akhilgkrishnan](https://togithub.com/akhilgkrishnan) made their first contribution in [https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446) - [@ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) made their first contribution in [https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703) - [@piwysocki](https://togithub.com/piwysocki) made their first contribution in [https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493) - [@askoufis](https://togithub.com/askoufis) made their first contribution in [https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781) **Full Changelog**: https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0 ### [`v5.75.0`](https://togithub.com/webpack/webpack/releases/tag/v5.75.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.74.0...v5.75.0) ### Bugfixes - `experiments.*` normalize to `false` when opt-out - avoid `NaN%` - show the correct error when using a conflicting chunk name in code - HMR code tests existance of `window` before trying to access it - fix `eval-nosources-*` actually exclude sources - fix race condition where no module is returned from processing module - fix position of standalong semicolon in runtime code ### Features - add support for `@import` to extenal CSS when using experimental CSS in node - add `i64` support to the deprecated WASM implementation ### Developer Experience - expose `EnableWasmLoadingPlugin` - add more typings - generate getters instead of readonly properties in typings to allow overriding them ### [`v5.74.0`](https://togithub.com/webpack/webpack/releases/tag/v5.74.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.73.0...v5.74.0) ### Features - add `resolve.extensionAlias` option which allows to alias extensions - This is useful when you are forced to add the `.js` extension to imports when the file really has a `.ts` extension (typescript + `"type": "module"`) - add support for ES2022 features like static blocks - add Tree Shaking support for `ProvidePlugin` ### Bugfixes - fix persistent cache when some build dependencies are on a different windows drive - make order of evaluation of side-effect-free modules deterministic between concatenated and non-concatenated modules - remove left-over from debugging in TLA/async modules runtime code - remove unneeded extra 1s timestamp offset during watching when files are actually untouched - This sometimes caused an additional second build which are not really needed - fix `shareScope` option for `ModuleFederationPlugin` - set `"use-credentials"` also for same origin scripts ### Performance - Improve memory usage and performance of aggregating needed files/directories for watching - This affects rebuild performance ### Extensibility - export `HarmonyImportDependency` for plugins ### [`v5.73.0`](https://togithub.com/webpack/webpack/releases/tag/v5.73.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.72.1...v5.73.0) ### Features - add options for default `dynamicImportMode` and prefetch and preload - add support for `import { createRequire } from "module"` in source code ### Bugfixes - fix code generation of e. g. `return"field"in Module` - fix performance of large JSON modules - fix performance of async modules evaluation ### Developer Experience - export `PathData` in typings - improve error messages with more details ### [`v5.72.1`](https://togithub.com/webpack/webpack/releases/tag/v5.72.1) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.72.0...v5.72.1) ### Bugfixes - fix `__webpack_nonce__` with HMR - fix `in` operator in some cases - fix json parsing error messages - fix module concatenation with using `this.importModule` - upgrade enhanced-resolve ### [`v5.72.0`](https://togithub.com/webpack/webpack/releases/tag/v5.72.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.71.0...v5.72.0) ### Features - make cache warnings caused by build errors less verbose - Allow banner to be placed as a footer with the BannerPlugin - allow to concatenate asset modules ### Bugfixes - fix RemoteModules when using HMR (Module Federation + HMR) - throw error when using module concatenation and cacheUnaffected - fix `in` operator with nested exports ### [`v5.71.0`](https://togithub.com/webpack/webpack/releases/tag/v5.71.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.70.0...v5.71.0) ### Features - choose smarter default for `uniqueName` when using a `output.library` which includes placeholders - add support for expressions with `in` of a imported binding - generate UMD code with arrow functions when possible ### Bugfixes - fix source map source names for ContextModule to be relative - fix `chunkLoading` option in module module - fix edge case where `evaluateExpression` returns `null` - retain optional chaining in imported bindings - include runtime code for the base URI even if not using chunk loading - don't throw errors in persistent caching when importing node.js builtin modules via ESM - fix crash when using `lazy-once` Context modules - improve handling of context modules with multiple contexts - fix race condition HMR chunk loading when importing chunks during HMR updating - handle errors in `runAsChild` callback ### [`v5.70.0`](https://togithub.com/webpack/webpack/releases/tag/v5.70.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.69.1...v5.70.0) ### Features - update node.js version constraints for ESM support - add `baseUri` to `entry` options to configure a static base uri (the base of `new URL()`) - alphabetically sort exports in namespace objects when possible - add `__webpack_exports_info__.name.canMangle` - add proxy support to `experiments.buildHttp` - `import.meta.webpackContext` as ESM alternative to `require.context` - handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module ### Bugfixes - fix problem when assigning `global` to a variable - fix crash when using `experiments.outputModule` and `loaderContext.importModule` with multiple chunks - avoid generating progress output before the compilation has started (ProgressPlugin) - fix handling of non-static-ESM dependencies with using TLA and HMR in the same module - include the asset module filename in hashing - `output.clean` will keep HMR assets for at least 10s to allow HMR to access them even when compilation is faster then the browser ### Performance - fix asset caching when using the BannerPlugin ### Developer Experience - improve typings ### Contributing - capture caching errors when running the test suite ### [`v5.69.1`](https://togithub.com/webpack/webpack/releases/tag/v5.69.1) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.69.0...v5.69.1) ### Revert - revert "handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module" ### [`v5.69.0`](https://togithub.com/webpack/webpack/releases/tag/v5.69.0) [Compare Source](https://togithub.com/webpack/webpack/compare/v5.68.0...v5.69.0) ### Features - automatically switch to an ESM compatible environment when enabling ESM output mode - handle multiple alternative directories (e. g. due to `resolve.alias` or `resolve.modules`) when creating an context module - add `util/types` to node.js built-in modules - add `__webpack_exports_info__.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.