chore(deps): update dependency webpack to v5.76.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
webpack	5.62.1 -> 5.76.0

GitHub Vulnerability Alerts

CVE-2023-28154

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

---

Release Notes

webpack/webpack (webpack)

v5.76.0

Compare Source

Bugfixes

• Avoid cross-realm object access by @​Jack-Works in #​16500
• Improve hash performance via conditional initialization by @​lvivski in #​16491
• Serialize generatedCode info to fix bug in asset module cache restoration by @​ryanwilsonperkin in #​16703
• Improve performance of hashRegExp lookup by @​ryanwilsonperkin in #​16759

Features

• add target to LoaderContext type by @​askoufis in #​16781

Security

• CVE-2022-37603 fixed by @​akhilgkrishnan in #​16446

Repo Changes

• Fix HTML5 logo in README by @​jakebailey in #​16614
• Replace TypeScript logo in README by @​jakebailey in #​16613
• Update actions/cache dependencies by @​piwysocki in #​16493

New Contributors

• @​Jack-Works made their first contribution in #​16500
• @​lvivski made their first contribution in #​16491
• @​jakebailey made their first contribution in #​16614
• @​akhilgkrishnan made their first contribution in #​16446
• @​ryanwilsonperkin made their first contribution in #​16703
• @​piwysocki made their first contribution in #​16493
• @​askoufis made their first contribution in #​16781

Full Changelog: webpack/webpack@v5.75.0...v5.76.0

v5.75.0

Compare Source

Bugfixes

• experiments.* normalize to false when opt-out
• avoid NaN%
• show the correct error when using a conflicting chunk name in code
• HMR code tests existance of window before trying to access it
• fix eval-nosources-* actually exclude sources
• fix race condition where no module is returned from processing module
• fix position of standalong semicolon in runtime code

Features

• add support for @import to extenal CSS when using experimental CSS in node
• add i64 support to the deprecated WASM implementation

Developer Experience

• expose EnableWasmLoadingPlugin
• add more typings
• generate getters instead of readonly properties in typings to allow overriding them

v5.74.0

Compare Source

Features

• add resolve.extensionAlias option which allows to alias extensions
  • This is useful when you are forced to add the .js extension to imports when the file really has a .ts extension (typescript + "type": "module")
• add support for ES2022 features like static blocks
• add Tree Shaking support for ProvidePlugin

Bugfixes

• fix persistent cache when some build dependencies are on a different windows drive
• make order of evaluation of side-effect-free modules deterministic between concatenated and non-concatenated modules
• remove left-over from debugging in TLA/async modules runtime code
• remove unneeded extra 1s timestamp offset during watching when files are actually untouched
  • This sometimes caused an additional second build which are not really needed
• fix shareScope option for ModuleFederationPlugin
• set "use-credentials" also for same origin scripts

Performance

• Improve memory usage and performance of aggregating needed files/directories for watching
  • This affects rebuild performance

Extensibility

• export HarmonyImportDependency for plugins

v5.73.0

Compare Source

Features

• add options for default dynamicImportMode and prefetch and preload
• add support for import { createRequire } from "module" in source code

Bugfixes

• fix code generation of e. g. return"field"in Module
• fix performance of large JSON modules
• fix performance of async modules evaluation

Developer Experience

• export PathData in typings
• improve error messages with more details

v5.72.1

Compare Source

Bugfixes

• fix __webpack_nonce__ with HMR
• fix in operator in some cases
• fix json parsing error messages
• fix module concatenation with using this.importModule
• upgrade enhanced-resolve

v5.72.0

Compare Source

Features

• make cache warnings caused by build errors less verbose
• Allow banner to be placed as a footer with the BannerPlugin
• allow to concatenate asset modules

Bugfixes

• fix RemoteModules when using HMR (Module Federation + HMR)
• throw error when using module concatenation and cacheUnaffected
• fix in operator with nested exports

v5.71.0

Compare Source

Features

• choose smarter default for uniqueName when using a output.library which includes placeholders
• add support for expressions with in of a imported binding
• generate UMD code with arrow functions when possible

Bugfixes

• fix source map source names for ContextModule to be relative
• fix chunkLoading option in module module
• fix edge case where evaluateExpression returns null
• retain optional chaining in imported bindings
• include runtime code for the base URI even if not using chunk loading
• don't throw errors in persistent caching when importing node.js builtin modules via ESM
• fix crash when using lazy-once Context modules
• improve handling of context modules with multiple contexts
• fix race condition HMR chunk loading when importing chunks during HMR updating
• handle errors in runAsChild callback

v5.70.0

Compare Source

Features

• update node.js version constraints for ESM support
• add baseUri to entry options to configure a static base uri (the base of new URL())
• alphabetically sort exports in namespace objects when possible
• add __webpack_exports_info__.name.canMangle
• add proxy support to experiments.buildHttp
• import.meta.webpackContext as ESM alternative to require.context
• handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module

Bugfixes

• fix problem when assigning global to a variable
• fix crash when using experiments.outputModule and loaderContext.importModule with multiple chunks
• avoid generating progress output before the compilation has started (ProgressPlugin)
• fix handling of non-static-ESM dependencies with using TLA and HMR in the same module
• include the asset module filename in hashing
• output.clean will keep HMR assets for at least 10s to allow HMR to access them even when compilation is faster then the browser

Performance

• fix asset caching when using the BannerPlugin

Developer Experience

• improve typings

Contributing

• capture caching errors when running the test suite

v5.69.1

Compare Source

Revert

• revert "handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module"

v5.69.0

Compare Source

Features

• automatically switch to an ESM compatible environment when enabling ESM output mode
• handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module
• add util/types to node.js built-in modules
• add __webpack_exports_info__.<name>.canMangle api

Bugfixes

• fix bug in chunk graph generation which leads to modules being included in chunk desprite them being already included in parent chunks
• avoid writing more than 2GB at once during cache serialization (as workaround for node.js/libuv bug on MacOS)
• fix handling of whitespaces in semver ranges when using Module Federation
• avoid generating hashes which contain only numbers as they likely conflict with module ids
• fix resource name based placeholders for data uris
• fix cache serialization for context elements
• fix passing of stage option when instrumenting plugins for the ProfilingPlugin
• fix tracking of declarations in concatenated modules to avoid conflicts
• fix unstable mangling of exports
• fix handling of # in paths of loaders
• avoid unnecessary cache update when using experiments.buildHttp

Contributing

• update typescript and jest

Developer Experience

• expose some additional typings for usage in webpack-cli

v5.68.0

Compare Source

Features

• allow to disable compile time evaluation of import.meta.url
• add __webpack_module__ and __webpack_module__.id to the api

Bugfixes

• fix handling of errors thrown in async modules

v5.67.0

Compare Source

Features

• add 'outputPath' configuration option for resource asset modules
• support Trusted Types in eval source maps
• experiments.css
  • allow to generate only exports for css in node
  • add SyncModuleIdsPlugin to sync module ids between server and client compilation
  • add more options to the DeterministicModuleIdsPlugin to allow to generate equal ids

Developer Experience

• limit data url module name in stats printer
• allow specific description for CLI options
• improve space limiting algorithm in stats printing to show partial lists
• add null to errors in callbacks
• fix call signature types of addChunkInGroup

Bugfixes

• avoid reporting non-existant package.jsons as dependencies
• experiments.css
  • fix missing css runtime when only initial css is used
  • fix css hmr support
  • bugfixes to css modules
• fix cache serialization for CreateScriptUrlDependency
• fix data url content when processed by a loader
• fix regexp in identifiers that include |
• fix ProfilingPlugin for watch scenarios
• add layer to module names and identifiers
  • this avoid random module id changes when additional modules are added to another layer
• provide hashFunction parameter to DependencyTemplates to allow customizing it there
• fix HMR when experiments.lazyCompilation is enabled
• store url as Buffer to avoid serialization warnings
• exclude webpack-hot-middleware/client from lazy compilation

Contributing

• remove travis configuration
• improve spell checking

v5.66.0

Compare Source

Features

• add output.library.type: "commonjs-static" to emit a statically analyse-able commonjs module (for node.js esm interop support)
• add experiments.css (very experimental)
  • see #​14893

Bugfixes

• fix CORS headers for experiments.lazyCompilation
• fix [absolute-resource-path] for SourceMap module naming
• avoid stack overflow when accessing many memory cached cache values in series

Performance

• reduce default watchOptions.aggregateTimeout to 20ms

v5.65.0

Compare Source

Features

• static evaluation understands undefined now
• reduce container entry code by a few chars
• use template literals when available and they make sense

Bugfixes

• handle singleton flag without requiredVersion in Module Federation
• upgrade watchpack for context time info bugfix

Performance

• improve RegExp in error message formating for non-quadratic performance

Developer Experience

• automatically insert brackets when output.globalObject contains a non-trival expression
• show error when using script type external with invalid syntax
• expose types for Resolver, StatsOptions and ResolvePluginInstance

Preparations for the future

• hashDigestLength will default to 16 in webpack 6 (experiments.futureDefaults)

v5.64.4

Compare Source

Bugfixes

• fix tagged template literal evaluation
• fix ModuleFederation with ESM
• fix outputModule with intial splitChunks

Performance

• upgrade watchpack for faster watcher updating
• track file and directory timestamps separately in watchpack and webpack

Developer Experience

• show origin of singleton shared module in mismatch warning

v5.64.3

Compare Source

Performance

• allow to use pre-compiled schema when Infinity is used in configuration
• allow to use pre-compiled schema for configuration arrays

v5.64.2

Compare Source

Bugfixes

• avoid double initial compilation due to invalid dependencies with managedPaths

v5.64.1

Compare Source

Bugfixes

• fix regexp in managedPaths to exclude additional slash
• make module.accept errorHandler optional in typings
• correctly create an async chunk when using a require(...).property in require.ensure
• fix cleaning of symlinks in output.clean: true
• fix change detection with unsafeCache within managedPaths (node_modules)
• bump webpack-sources for Stack Overflow bugfix

v5.64.0

Compare Source

Features

• add asyncChunks: boolean option to disable creation of async chunks

Bugfixes

• fix ProfilingPlugin for experiments.backCompat: false

Performance

• avoid running regexp twice over the file list

v5.63.0

Compare Source

Features

• allow passing chunkLoading: false to disable on-demand loading

Bugfixes

• fix import 'single-quote' in esm build dependencies

v5.62.2

Compare Source

Bugfixes

• fix __system_context__ injection when using the library option on entrypoint
• enable exportsPresence: "error" by default in futureDefaults
• fix bad performance for a RegExp in Stats printing (with large error messages)
• fix exportPresence -> exportsPresence typo
• fix a bug with module invalidation when only module id changes with experiments.cacheUnaffected

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.15%. Comparing base (588ffe4) to head (cfccac2).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #295   +/-   ##
=======================================
  Coverage   90.15%   90.15%           
=======================================
  Files          66       66           
  Lines         650      650           
  Branches       83       83           
=======================================
  Hits          586      586           
  Misses         64       64           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud