Update dependency webpack to v5.76.0 [SECURITY] #521
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.24.4
->5.76.0
GitHub Vulnerability Alerts
CVE-2023-28154
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Release Notes
webpack/webpack
v5.76.0
Compare Source
Bugfixes
generatedCode
info to fix bug in asset module cache restoration by @ryanwilsonperkin in https://github.com/webpack/webpack/pull/16703hashRegExp
lookup by @ryanwilsonperkin in https://github.com/webpack/webpack/pull/16759Features
target
toLoaderContext
type by @askoufis in https://github.com/webpack/webpack/pull/16781Security
Repo Changes
New Contributors
Full Changelog: webpack/webpack@v5.75.0...v5.76.0
v5.75.0
Compare Source
Bugfixes
experiments.*
normalize tofalse
when opt-outNaN%
window
before trying to access iteval-nosources-*
actually exclude sourcesFeatures
@import
to extenal CSS when using experimental CSS in nodei64
support to the deprecated WASM implementationDeveloper Experience
EnableWasmLoadingPlugin
v5.74.0
Compare Source
Features
resolve.extensionAlias
option which allows to alias extensions.js
extension to imports when the file really has a.ts
extension (typescript +"type": "module"
)ProvidePlugin
Bugfixes
shareScope
option forModuleFederationPlugin
"use-credentials"
also for same origin scriptsPerformance
Extensibility
HarmonyImportDependency
for pluginsv5.73.0
Compare Source
Features
dynamicImportMode
and prefetch and preloadimport { createRequire } from "module"
in source codeBugfixes
return"field"in Module
Developer Experience
PathData
in typingsv5.72.1
Compare Source
Bugfixes
__webpack_nonce__
with HMRin
operator in some casesthis.importModule
v5.72.0
Compare Source
Features
Bugfixes
in
operator with nested exportsv5.71.0
Compare Source
Features
uniqueName
when using aoutput.library
which includes placeholdersin
of a imported bindingBugfixes
chunkLoading
option in module moduleevaluateExpression
returnsnull
lazy-once
Context modulesrunAsChild
callbackv5.70.0
Compare Source
Features
baseUri
toentry
options to configure a static base uri (the base ofnew URL()
)__webpack_exports_info__.name.canMangle
experiments.buildHttp
import.meta.webpackContext
as ESM alternative torequire.context
Bugfixes
global
to a variableexperiments.outputModule
andloaderContext.importModule
with multiple chunksoutput.clean
will keep HMR assets for at least 10s to allow HMR to access them even when compilation is faster then the browserPerformance
Developer Experience
Contributing
v5.69.1
Compare Source
Revert
v5.69.0
Compare Source
Features
resolve.alias
orresolve.modules
) when creating an context moduleutil/types
to node.js built-in modules__webpack_exports_info__.<name>.canMangle
apiBugfixes
stage
option when instrumenting plugins for the ProfilingPlugin#
in paths of loadersexperiments.buildHttp
Contributing
Developer Experience
v5.68.0
Compare Source
Features
__webpack_module__
and__webpack_module__.id
to the apiBugfixes
v5.67.0
Compare Source
Features
experiments.css
SyncModuleIdsPlugin
to sync module ids between server and client compilationDeterministicModuleIdsPlugin
to allow to generate equal idsDeveloper Experience
null
to errors in callbacksBugfixes
experiments.css
|
webpack-hot-middleware/client
from lazy compilationContributing
v5.66.0
Compare Source
Features
output.library.type: "commonjs-static"
to emit a statically analyse-able commonjs module (for node.js esm interop support)experiments.css
(very experimental)Bugfixes
experiments.lazyCompilation
[absolute-resource-path]
for SourceMap module namingPerformance
watchOptions.aggregateTimeout
to 20msv5.65.0
Compare Source
Features
undefined
nowBugfixes
singleton
flag withoutrequiredVersion
in Module Federationwatchpack
for context time info bugfixPerformance
Developer Experience
output.globalObject
contains a non-trival expressionscript
type external with invalid syntaxResolver
,StatsOptions
andResolvePluginInstance
Preparations for the future
hashDigestLength
will default to 16 in webpack 6 (experiments.futureDefaults
)v5.64.4
Compare Source
Bugfixes
Performance
Developer Experience
v5.64.3
Compare Source
Performance
Infinity
is used in configurationv5.64.2
Compare Source
Bugfixes
v5.64.1
Compare Source
Bugfixes
require(...).property
inrequire.ensure
output.clean: true
unsafeCache
withinmanagedPaths
(node_modules)v5.64.0
Compare Source
Features
asyncChunks: boolean
option to disable creation of async chunksBugfixes
experiments.backCompat: false
Performance
v5.63.0
Compare Source
Features
chunkLoading: false
to disable on-demand loadingBugfixes
import 'single-quote'
in esm build dependenciesv5.62.2
Compare Source
Bugfixes
__system_context__
injection when using thelibrary
option on entrypointexportsPresence: "error"
by default infutureDefaults
exportPresence
->exportsPresence
typoexperiments.cacheUnaffected
v5.62.1
Compare Source
Bugfix
;
v5.62.0
Compare Source
Features
parser.javascript.reexportExportsPresence: false
allows to disable warnings for non-existing exports during the migration fromexport ... from "..."
toexport type ... from "..."
for type reexports in TypeScriptexperiments.backCompat: false
to disable some expensive deprecations for better performanceBugfixes
['catch']
instead of.catch
for better ES3 supportnew (require("...")).Something()
{ require }
object literalssplitChunks.chunks
option is now correctly used forsplitChunks.fallbackCacheGroup.maxSize
toolisten
option, allow to omitport
Developer Experience
/// <reference types="webpack/module" />
to use the typings in typescript modules"types": [..., "webpack/module"]
in tsconfigv5.61.0
Compare Source
Bugfixes
path
submodules in the node.js default externalsPerformance
Contribution
v5.60.0
Compare Source
Features
experiments.lazyCompilation
. e. g. port, https stuffBugfixes
output.hashFunction
used to persistent caching toobuildDependencies
Set correctly when loaders are added inbeforeLoaders
hookv5.59.1
Compare Source
Bugfixes
experiments.buildHttp
v5.59.0
Compare Source
Features
/*#__PURE__*/
forObject()
in generated codemanaged/immutablePaths
experiments.buildHttp
splitChunks.minSizeReduction
optionBugfixes
waitFor
when modules are unsafe cachedv5.58.2
Compare Source
Bugfixes
Performance
v5.58.1
Compare Source
Bugfixes
.webpack[]
suffix to not execute rulesv5.58.0
Compare Source
Features
diagnostics_channel
to node builtinsPerformance
v5.57.1
Compare Source
Bugfix
v5.57.0
Compare Source
Performance
Bugfixes
v5.56.1
Compare Source
Bugfix
v5.56.0
Compare Source
Performance
v5.55.1
Compare Source
Bugfixes
experiments.cacheUnaffected
v5.55.0
Compare Source
Performance
experiments.cacheUnaffected
module.unsafeCache
v5.54.0
Compare Source
Features
&&
||
and??
output.hashFunction
eval
is used in a moduleBugfixes
Performance
output.hashFunction: "xxhash64"
for a super fast wasm based hash functionexperiments.cacheUnaffected
which caches computations for modules that are unchanged and reference only unchanged modulesv5.53.0
Compare Source
Features
node.__dirname/__filename: "warn-mock"
which warns on usage (will be enabled in webpack 6 by default)Bugfixes
stream/web
to Node.js externalsExperiments
experiments.futureDefaults
to enable defaults for webpack 6v5.52.1
Compare Source
Performance
v5.52.0
Compare Source
Feature
experiments.executeModule
is enabled by default and the option is removedthis.importModule
Bugfixes
__WEBPACK_EXTERNAL_MODULE_null__
, which leads to merged externals.webpack[...]
extension is not part of matching and module namev5.51.2
Compare Source
Bugfixes
[contenthash]
is undefined when usingnew Worker
v5.51.1
Compare Source
Bugfixes
library: "module"
propages top-level-await correctlyv5.51.0
Compare Source
Bugfixes
yarn link
ing of dependencies.Compilation.addModuleChain
andCompilation.addModuleTree
v5.50.0
Compare Source
Features
#! ...
) are now handled by webpackPerformance
v5.49.0
Compare Source
Features
experiments.buildHttp
to buildhttp(s)://
imports instead of keeping them externalwebpack.lock
file with integrity andwebpack.lock.data
with cached content that should be committed(might be disabled with
experiments.buildHttp.upgrade: false
)(exception:
Cache-Control: no-cache
).webpack.lock.data
persisting can be disabled withexperiments.buildHttp.cacheLocation: false
.That will will introduce a availability risk.
(webpack cache will be used to cache network responses)
Bugfixes
splitChunks.maxSize
introduces in the last releasebail
is setPerformance
v5.48.0
Compare Source
Features
Bugfixes
v5.47.1
Compare Source
Bugfixes
v5.47.0
Compare Source
Performance
Bugfixes
"use strict"
s in module modev5.46.0
Compare Source
Features
stats.reasonsSpace
andstats.groupReasonsByOrigin
Bugfixes
Performance
v5.45.1
Compare Source
Bugfixes
assert
in other placesimport(/* webpackPrefetch: true */ ...)
no longer breaks library outputv5.45.0
Compare Source
Features
Bugfixes
.cjs
output filesPerformance
Contributing
v5.44.0
Compare Source
Features
output.module
+optimization.runtimeChunk
Bugfixes
v5.43.0
Compare Source
Features
runtime: false
in entry description to disable runtime chunkruntime
option in ModuleFederationPlugin and ContainerPluginBugfixes
"module"
externals when concatenatedPerformance
v5.42.1
Compare Source
Bugfixes
jsonData
ordataUrl
of undefinedv5.42.0
Compare Source
Features
cache.compression
Bugfixes
node-commonjs
to schema forexternalsType
system
externalsPerformance
v5.41.1
Compare Source
Bugfixes
Performance
v5.41.0
Compare Source
Features
cache.idleTimeoutAfterLargeChanges
to control thatBugfixes
Experiments
experiments.outputModule: true
)output.library.type: "module"
: very basic support, no live bindings, unnecessary runtime codeoutput.chunkLoading: "import"
output.chunkFormat: "module"
externalsType: "module"
generates nowimport * as X from "..."
(in a module) orimport("...")
(in a script)import { createRequire } from "module"
in a modulenew Worker
etc. sets `type: "module"v5.40.0
Compare Source
Features
node:
prefixed requests as node.js externalsinstanceof Promise
in favor ofp && typeof p.then === "function"
to allow mixing different Promise implementionsBugfixes
Performance
Developer Experience
Buffer
inthis.emitFile
typings (loader context)reset
cli argument descriptionv5.39.1
Compare Source
Bugfixes
v5.39.0
Compare Source
Features
import()
context (import with expression)Bugfixes
cache.allowCollectingMemory
Performance
Error.captureStackTrace
from webpack errorsv5.38.1
Compare Source
Performance
v5.38.0
Compare Source
Features
new URL("data:...", import.meta.url)
is now supportedmodule.rules[].scheme
as condition to match the request scheme (likedata
,http
, etc.)Bugfixes
Performance
v5.37.1
Compare Source
Bugfixes
Watching.invalidate
,dependencies
andparallelism
of the config array is now respected correctlystats
after the next compilation has startedWatching.suspend
RuleCondition.not
and allow passing a condition directly instead of only an arrayDeveloper Experience
Contributing
v5.37.0
Compare Source
Features
output.trustedTypes
Bugfixes
dependOn
null
in fs callbacksDeveloper Experiences
v5.36.2
Compare Source
Bugfixes
output.clean
is against this assumptionv5.36.1
Compare Source
Performance
cache.profile
(type: "filesystem"
only) flag for more info about (de)serialization timingsv5.36.0
Compare Source
Features
Performance
v5.35.1
Compare Source
Bugfixes
__webpack_exports__ is not defined
error with some library typesperformance
v5.35.0
Compare Source
Bugfixes
#
in pathPerformance
v5.34.0
Compare Source
Features
resolve.extensions
and handle them in this orderpnpapi
as builtin external when usingtarget: "node"
Bugfixes
target: "node"
Performance
Developer Experience
store: 'idle'
from schema descriptionv5.33.2
Compare Source
Bugfix
v5.33.1
Compare Source
Bugfix
this.importModule
v5.33.0
Compare Source
Features
publicPath
per entrypointentry.xxx.publicPath
optionBugfix
executeModule
Performance
export *
and reexportsv5.32.0
Compare Source
Features
.webpack[type]
(e. g..webpack[javascript/auto]
) to specify the default module type when no other module type is specified!=!
inline syntaxBugfixes
Experiments
experiments.executeModule
to allow build-time execution of modules of the module graphthis.importModule(request, options, [callback]): Promise
to the loader contextcompilation.executeModule(request, options, callback)
for pluginsv5.31.2
Compare Source
Bugfixes
v5.31.1
Compare Source
Bugfixes
Memory
Performance
v5.31.0
Compare Source
Features
infrastructureLogging.colors
: Enables/Disables colorful output.infrastructureLogging.appendOnly
: Only appends lines to the output. Avoids updating existing output e. g. for status messages.infrastructureLogging.stream
: Stream used for logging output. Defaults to process.stderr.infrastructureLogging.console
: Custom console used for logging.Bugfixes
exports
field is usedv5.30.0
Compare Source
Features
cache.maxGenerations
whencache.type: "memory"
cache.type: "filesystem"
andmode: "development"
cache.maxMemoryGenerations
whencache.type: "filesystem"
cache.maxAge
cache.maxMemoryGenerations: 0
Bugfixes
GC = Garbage Collection
v5.29.0
Compare Source
Bugfixes
splitChunks.maxSize
which cause too large chunks to be createdstats.groupModulesByType
to the schemaDeveloper Experience
Module/Const/NullDependency
on the APIv5.28.0
Compare Source
Features
module.generator.asset.publicPath
to configure a different publicPath for assetsBugfixes
Performance
v5.27.2
Compare Source
Bugfixes
beforeLoaders
hookexperiments.lazyCompilation
is used (regression)import()
new URL(new URL
generated by worker handingv5.27.1
Compare Source
Bugfix
v5.27.0
Compare Source
Features
utils: { contextify(context, absolutePath), absolutify(context, request) }
to loader contextBugfixes
imports
field handlingv5.26.3
Compare Source
Bugfix
v5.26.2
Compare Source
Bugfixes
v5.26.1
Compare Source
Bugfixes
Set.addAll
polyfill../
when generation the undo path for non-web targetsv5.26.0
Compare Source
Features
DefinePlugin.runtimeValue
(file/context/missing/buildDependencies, version)Bugfixes
v5.25.1
Compare Source
Bugfixes
type: "module"
for Workers when generating classic scriptsv5.25.0
Compare Source
Features
__webpack_runtime_id__
to access the current runtime idoutput.strictModuleErrorHandling
to opt into stricter evaluation error handling semantics according to ESM specnew URL()
this will result in an url to a empty file ("data:,"
)module.generator.asset.emit
option to disable creating assets from asset modules (e. g. for SSR)Bugfixes
splitChunks.maxSize
where negative indicies are accessedsplitChunks.maxSize
in some cases when multiple size types are involvedDeprecations
output.strictModuleExceptionHandling
(this is the CommonJS way of handling errors, and the name is weird)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.